The return of the Mirai botnet

David Strom 27 Nov 2020

News on the (malicious) gift that just keeps on giving

Remember Mirai? This four-year old botnet was the scourge of the internet and used as the launching pad for numerous DDoS attacks. Back in 2016, the botnet disrupted a German ISP, Liberia’s entire internet connection, the DNS services (now owned by Oracle), and Brian Krebs’ website.

It was unique because it collected more than 24,000 IoT devices, including webcams, numerous home routers and other embedded devices. Its size was also significant: when Krebs was targeted, it was the largest series of DDoS attacks to date, with five separate events focusing more than 700B bits per second traffic at his web server. 

Since those days, Mirai has continued to gain notoriety. Its source code was released on GitHub shortly after these first attacks in 2016, where it has been downloaded thousands of times and has formed the basis of a DDoS-as-a-service for criminals. Months later, Krebs described how he uncovered the true identity of the leaker. We blogged about it back in 2018, when Avast researchers came across a new strain called Torii. It had more stealth components and was used to steal information rather than coordinate DDoS attacks. Torii also expanded the botnet sources beyond IoT devices and including a wide range of operating systems and chipsets to abuse. Eventually, three Mirai authors were fined and given five years of probation, partly because they cooperated with prosecutors in thwarting other attacks.

The latest on Mirai

Mirai is still around and being used for new nefarious purposes. Last year, researchers found an Echobot variant, which is notable in that it contains 71 different exploits all packaged together with more than a dozen new ones that have never been used previously. A post on ZDnet back in March found the variant called Mukashi that was exploiting Zyxel network-attached storage devices. (The company quickly released a firmware patch.) In July, other researchers found a new vulnerability in a collection of Linux-based routers. Then, in October, two new vulnerabilities were discovered that demonstrated how Mirai could take advantage of the network time service. Four new variants were found that involve command injections to download shell scripts. These variants were classic Mirai in that the exploited devices were used as part of DDoS botnet attacks.

Clearly, Mirai is the gift that just keeps on giving.

Recommended mitigations

There are several things that business IT managers can do to blunt the force of Mirai or indeed any DDoS attack. First off, here are some recommended DDoS attack mitigation strategies that are worth reading. Avast Omni is also a powerful tool in protecting against IoT-based attacks. You should also be sure to change factory default passwords on all network equipment, as unchanged default passwords have allowed Mirai to collect multiple endpoint IoT webcams and routers.

Related articles

--> -->