The Mirai botnet is a famous Internet of Things (IoT) botnet and one of the largest botnets of its time. It first emerged in September 2016 and was used to perform massive Distributed Denial of Service (DDoS) attacks against various targets.
Mirai is an example of botnet malware. Botnet malware infects a computer and opens a command and control (C2) channel to an attacker’s C2 infrastructure. This allows the attacker to send commands to the botnet malware, which executes them using the resources of the infected machine. With many infected devices, botnets are able to perform large-scale automated attacks such as DDoS or credential stuffing.
Mirai is a form of malware that specifically targets IoT devices, taking advantage of the relatively poor state of IoT security. In fact, Mirai exploits the fact that many of these devices are deployed with their default, weak usernames and passwords. With a short list of the default usernames and passwords for various IoT devices, Mirai was able to log in via Telnet and install itself on hundreds of thousands of IoT devices at its peak.
Botnet malware is commonly designed to be self-spreading as well. In Mirai’s case, its primary infection vector was logging into vulnerable IoT devices using Telnet. As a result, Mirai bots performed regular scans for vulnerable targets accessible via Telnet and delivered the malware to any that they identified.
Botnets can be used for a variety of different purposes. Any attack that can be automated — such as a DDoS or credential stuffing attack — can be scaled up significantly by having hundreds or thousands of bots perform it in parallel.
Mirai is an example of a botnet that specializes in DDoS attacks. In the early days, it was used to perform DDoS attacks against Minecraft servers for the purpose of extortion. Since then, Mirai has been used to perform high-profile attacks against a variety of different organizations. One high-profile attack against Dyn — a widely used DNS profile — resulted in a significant portion of the Internet being unreachable for the duration of the attack.
Mirai’s applications were dramatically expanded when its source code was publicly leaked in September 2016. With access to the source code, other cybercriminals could adapt the highly successful botnet malware to create their own botnets. This includes configuring the malware to point to its own C2 infrastructure — enabling it to direct its attacks — or adding additional capabilities such as new infection mechanisms or capabilities — such as performing credential stuffing, cryptojacking, or other automated attacks.
Mirai poses multiple threats to organizations and individuals. The first originates from the main purpose of the Mirai botnet, which is to perform DDoS attacks. A massive botnet targeting a service with a DDoS attack has a high probability of taking that service down unless it has robust anti-DDoS protections in place.
The Mirai threat was exacerbated by the public leak of its source code. Several modern IoT botnets are descendants of Mirai that tweaked the source code to meet their owners’ goals. These botnets pose a wider range of threats to organizations since they can be used for credential stuffing, cryptojacking, and other attacks beyond DDoS campaigns.
Finally, Mirai poses a threat to the owners of vulnerable DDoS devices. The malware uses these devices’ computational power and network bandwidth to perform DDoS attacks. However, its access to these systems could also be abused to spy on or perform other attacks against their owners.
Mirai, like many other botnets, takes advantage of weaknesses in IoT device security. Some best practices for protecting against Mirai and its descendants include the following:
Mirai and other DDoS botnets pose a significant risk to the availability of corporate services and systems. A large-scale DDoS attack against an organization can overwhelm it with more traffic than it can handle, rendering it unavailable to legitimate users.
Check Point’s Quantum DDoS Protector enables companies to filter DDoS traffic at scale, blocking DDoS attacks and enabling legitimate users to access corporate resources and services. To learn more about your organization’s exposure to automated attacks, take Check Point’s free DDoS bot analyzer scan.