What was the Mirai botnet?

What is Mirai botnet attack? Is Mirai still a threat? Learn more about this type of malware and its cyberthreat impact.


Also for WindowsiOSAndroidChromebook and For Business

What is the Mirai botnet?

In late 2016 in France, telecom company OVH was hit by a distributed denial-of-service (DDoS) attack. Experts were struck by how the assault was 100 times larger than similar threats. The following month, over 175,000 websites suffered, as Dyn, a managed DNS (Domain Name System) provider, was hit by another powerful DDoS attack. Much of the eastern United States and some of Europe suffered a significant drop in Internet quality.

Some hacking groups like Anonymous and New World Hackers claimed responsibility in retaliation for WikiLeaks founder Julian Assange being cut off from the Internet by the Ecuadorian government. However, American officials and security firms cast doubt on these claims. One thing was for sure. The weapon behind these attacks was the Mirai botnet malware.

The timing couldn’t have been worse. With the American elections around the corner, there were fears that the malware would impact voters. Experts speculated that the malicious software was the handiwork of a rogue state intent on manipulating the democratic process.

They couldn’t have been further from the truth.

Who created the Mirai botnet?

Three young men named Paras Jha, Dalton Norman, and Josiah White created Mirai as part of a Minecraft scam. Their initial goal was to run an extortion scheme by taking down Minecraft servers and start a protection racket. After Internet user “Anna-senpai,” who investigators believe is an alias for Paras Jha, published the source code for Mirai online, the botnet mutated.

How did Mirai botnet get its name?

Mirai is a Japanese given name that means “future.” According to a chatlog between Anna-senpai and Robert Coelho, an executive at ProxyPipe.com, the Mirai botnet was named after the Japanese animated series Mirai Nikki.

How does Mirai spread?

Let’s answer some burning questions like “What is a DDoS attack?”, “What is a botnet?”, and
What is IoT?” before explaining how the Mirai botnet spread.

A botnet is a network of hijacked computers under the control of a threat actor, typically called a bot herder. The network of computers, or bots, runs an automated script to perform a task.

Botnets don’t always serve bad actors. For example, the crowdsourced scientific experiment, SETI@home, searched for extraterrestrial life through a voluntary botnet. However, bot herders usually use botnets for attacks like DDoS. Using the extensive resources of the many computers in a botnet, they send excessive traffic to a website or service to overwhelm it and take it down.

The goal of a DDoS attack is anything from mischief to activism to extortion. For example, the Mirai authors wanted to undermine critical Minecraft servers in order to sell DDoS mitigation services. They also allegedly attacked ProxyPipe.com because it provided similar services and was a potential competitor.

The Mirai botnet was unlike other malware because it attacked IoT devices instead of computers. IoT, of course, is a fancy name for devices that carry sensors and software, allowing them to communicate with other devices and systems. Mirai infected vulnerable consumer devices like smart cameras. It also weaponized Realtek-based routers.

Mirai scanned the Internet for targets and breached their security by trying default username and password combinations. It didn’t take long for Mirai to infect hundreds of thousands of IoT devices in countries worldwide and gain significant power. Mirai’s attack in 2016 against OVH peaked at a startling 1TBps.

How was the Mirai botnet stopped?

According to TechTarget, the FBI uncovered the identities of the Mirai creators through the metadata around their anonymous accounts after an extensive investigation. Not only did the trio plead guilty to various computer crimes, but they agreed to help make amends. One of their bigger contributions was to build an IoT honeypot called WatchTower. A honeypot is essentially a digital trap for malware and hackers.

Is Mirai botnet still active?

The authorities may have caught the Mirai creators, but the spirit of their botnet lives on. Numerous groups took advantage of the open-source code to create mini variants. Besides DDoS attacks, botnets can help hackers weaken website security, steal credit card data, and send spam.  

How can the Mirai malware be mitigated?

Updating your IoT device firmware to the latest version can help mitigate the risk of a botnet infection. Additionally, changing default username and passwords will prevent threat actors from utilizing known default login credentials. Segmenting your network so your IoT devices are on a separate network can also be useful.

To secure your computer from botnet infections, regularly install the latest security patches for your operating system and download anti-malware tools. You may also be put at risk by old out of date routers — so consider upgrading. A proactive approach can harden your defenses against all types of botnet infections.