|Original author(s)||Paras Jha, Josiah White and Dalton Norman|
|Written in||C (agent), Go (controller)|
|License||GNU General Public License v3.0|
Mirai (Japanese: 未来, lit. 'future') is a malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP Address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.
Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes. Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports.
Victim IoT devices are identified by “first entering a rapid scanning phase (①) where it asynchronously and “statelessly” sent TCP SYN probes to pseudo-random IPv4 addresses, excluding those in a hard-coded IP blacklist, on Telnet TCP ports 23 and 2323”. If an IoT device responds to the probe, the attack then enters into a brute-force login phase. During this phase, the attacker tries to establish a Telnet connection using predetermined username and password pairs from a list of credentials. Most of these logins are default usernames and passwords from the IoT vendor. If the IoT device allows the Telnet access, the victim's IP, along with the successfully used credential is sent to a collection server.
There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack. The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.
Mirai as Internet of things (IoT) devices threat has not been stopped after the arrest of the actors, since the other actors are utilizing the Mirai malware source code that is openly shared in the GitHub to just use it or to evolve Mirai into new variants and expand its botnet node (networking) to the previously untouched IoT devices. The detail of the recent progress of these variants is listed in the following paragraphs.
On 12 December 2017 researchers identified a variant of Mirai exploiting a zero-day flaw in Huawei HG532 routers to accelerate Mirai botnets infection, implementing two known SOAP related exploits on routers web interface, CVE-2014–8361 and CVE-2017–17215. This Mirai version is called "Satori".
On 14 January 2018, a new variant of Mirai dubbed “Okiru” already targeting popular embedded processor like ARM, MIPS, x86, PowerPC and others was found targeting ARC processors based Linux devices for the first time. Argonaut RISC Core processor (shorted: ARC processors) is the second-most-popular embedded 32 bit processor, shipped in more than 1.5 billion products per year, including desktop computers, servers, radio, cameras, mobile, utility meters, televisions, flash drives, automotive, networking devices (smart hubs, TV modems, routers, wifi) and Internet of Things. It should be noted however that only a relatively small number of ARC-based devices run linux and therefore exposed to Mirai.
On 26 January 2018, two similar Mirai variant botnets were reported, the more modified version of which weaponizes EDB 38722 D-Link router's exploit to enlist further vulnerable IoT devices. The vulnerability in the router's Home Network Administration Protocol (HNAP) is utilized to craft a malicious query to exploited routers that can bypass authentication, to then cause an arbitrary remote code execution. The less modified version of Mirai is called "Masuta" (after the Japanese transliteration of "Master"), while the more modified version is called "PureMasuta".
In the early July 2018 it was reported at least thirteen versions of Mirai malware has been detected actively infecting Linux Internet of things (IoT) in the internet, and three of them were designed to target specific vulnerabilities by using exploit proof of concept, without launching brute-forcing attack to the default credential authentication. In the same month it was published a report of infection campaign of Mirai malware to Android devices through the Android Debug Bridge on TCP/5555 which is actually an optional feature in the Android operating system, but it was discovered that this feature appears to be enabled on some Android phones.
Use in DDoS attacks
Mirai was used, alongside BASHLITE, in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s. Ars Technica also reported a 1 Tbit/s attack on French web host OVH.
On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others. The attribution of the Dyn attack to the Mirai botnet was originally reported by Level 3 Communications. There is currently an ongoing investigation by the National Crime Agency into the suspected perpetrator of the attack.
Mirai was later revealed to have been used during the DDoS attacks against Rutgers University from 2014 to 2016, which left faculty and students on campus unable to access the outside Internet for several days at a time. Additionally, a failure of the University's Central Authentication Service caused course registration and other services unavailable during critical times in the academic semester. The university reportedly spent $300,000 in consultation and increased the cyber-security budget of the university by $1 million in response to these attacks. The university cited the attacks among its reasons for the increase in tuition and fees for the 2015-2016 school year. A person under the alias "exfocus" claimed responsibility for the attacks, stating in a Reddit AMA on the /r/Rutgers subreddit that the user was a student at the school and the DDoS attacks were motivated by frustrations with the university's bus system. The same user later claimed in an interview with a New Jersey-based blogger that they had lied about being affiliated with the university and that the attacks were being funded by an anonymous client. Security researcher Brian Krebs later alleged the user was indeed a student at Rutgers University and that the latter interview was given in an attempt to distract investigators.
Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.
Mirai has also been used in an attack on Liberia's Internet infrastructure in November 2016. According to computer security expert Kevin Beaumont the attack appears to have originated from the actor which also attacked Dyn.
The Security Affairs website was taken offline for more than an hour only twenty minutes after it had published an article about Mirai Okiru on 14 January 2018.
Other notable incidents
At the end of November 2016, approximately 900,000 routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices. While TalkTalk later patched their routers, a new variant of Mirai was discovered in TalkTalk routers.
A British man suspected of being behind the attack has been arrested at Luton Airport, according to the BBC.
On January 17, 2017, computer security journalist Brian Krebs posted an article on his blog, Krebs on Security, where he disclosed the name of the person who he believed to have written the malware. Krebs stated that the likely real-life identity of Anna-senpai (named after Anna Nishikinomiya, a character from Shimoneta), the author of Mirai, was actually Paras Jha, the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University. In an update to the original article, Paras Jha responded to Krebs and denied having written Mirai. FBI was reported to have questioned Jha on his involvement in the October 2016 Dyn cyberattack. On December 13, 2017 Paras Jha, Josiah White, and Dalton Norman entered a guilty plea to crimes related to the Mirai botnet.
Researchers are pointing to the handle name "Nexus Zeta" as having a role in the creation or operation of new Mirai variants (dubbed as Okiru, Satori, Masuta and PureMasuta). While there is sufficient evidence to establish that "Nexus Zeta" had some level of involvement in running both the Okiru and Satori botnets, it is currently unknown whether he was truly responsible for creating either botnet, or if he had a lesser role. The National Crime Agency currently has an ongoing investigation targeting an unnamed resident of Northern Ireland in connection with the Satori IoT botnet. According to the official report, which was released in 2018, the same individual was also previously interviewed in connection with the 2016 Dyn cyberattack.
In popular culture
- Linux malware
- Denial-of-service attack
- BASHLITE – another notable IoT malware
- Linux.Darlloz – another notable IoT malware
- Remaiten - another IoT DDoS bot
- Biggs, John (Oct 10, 2016). "Hackers release source code for a powerful DDoS app called Mirai". TechCrunch. Retrieved 19 October 2016.
- Pierluigi Paganini and Odysseus (September 5, 2016). "Linux/Mirai ELF, when malware is recycled could be still dangerous". Security Affair. Retrieved 5 September 2016.
- njccic (December 28, 2016). "Mirai Botnet". The New Jersey Cybersecurity and Communications Integration Cell (NJCCIC). Retrieved 28 December 2016.
- unixfreaxjp (August 31, 2016). "MMD-0056-2016 - Linux/Mirai, how an old ELF malcode is recycled". MalwareMustDie. Retrieved 31 August 2016.
- Krebs, Brian (September 21, 2016). "KrebsOnSecurity Hit With Record DDoS". Brian Krebs. Retrieved 17 November 2016.
- Bonderud, Douglas (October 4, 2016). "Leaked Mirai Malware Boosts IoT Insecurity Threat Level". securityintelligence.com. Retrieved 20 October 2016.
- Hackett, Robert (October 3, 2016). "Why a Hacker Dumped Code Behind Colossal Website-Trampling Botnet". Fortune.com. Retrieved 19 October 2016.
- Newman, Lily Hay. "What We Know About Friday's Massive East Coast Internet Outage". WIRED. Retrieved 2016-10-21.
- "Dyn | crunchbase". www.crunchbase.com. Retrieved 2016-10-23.
- Krebs, Brian. "Who is Anna-Senpai, the Mirai Worm Author?". Krebs on Security. Retrieved 25 January 2017.
- Statt, Nick (October 21, 2016). "How an army of vulnerable gadgets took down the web today". The Verge. Retrieved October 21, 2016.
- Kan, Michael (October 18, 2016). "Hackers create more IoT botnets with Mirai source code". ITWORLD. Retrieved 20 October 2016.
- Zeifman, Igal; Bekerman, Dima; Herzberg, Ben (October 10, 2016). "Breaking Down Mirai: An IoT DDoS Botnet Analysis". Incapsula. Retrieved 20 October 2016.
- Moffitt, Tyler (October 10, 2016). "Source Code for Mirai IoT Malware Released". Webroot. Retrieved 20 October 2016.
- Osborne, Charlie (October 17, 2016). "Mirai DDoS botnet powers up, infects Sierra Wireless gateways". ZDNet. Retrieved 20 October 2016.
- Xander (October 28, 2016). "DDoS on Dyn The Complete Story". ServerComparator. Archived from the original on 21 November 2016. Retrieved 21 November 2016.
- Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017) (2017)
- Dan Goodin (December 12, 2017). "100,000-strong botnet built on router 0-day could strike at any time". Ars Technica. Retrieved February 4, 2018.
- "IoT Botnet: More Targets in Okiru's Cross-hairs". Fortinet. Retrieved 18 April 2018.
- Leyden, John (January 16, 2016). "New Mirai botnet species 'Okiru' hunts for ARC-based kit". www.theregister.co.uk. Retrieved February 4, 2016.
- Pierluigi Paganini (January 14, 2018). "Mirai Okiru botnet targets for first time ever in the history ARC-based IoT devices". Security Affair. Retrieved February 4, 2018.
- Warwick Ashford (January 18, 2018). "Next-gen Mirai botnet targets cryptocurrency mining operations". Computer Weekly. Retrieved February 4, 2018.
- Rene Millman (January 26, 2018). "Satori creator linked with new Mirai variant Masuta". SC Media UK. Retrieved February 4, 2018.
- Malwaremustdie/Unixfreaxjp (July 7, 2018). "Mirai mirai on the wall.. how many are you now?". Imgur. Retrieved July 7, 2018.
- Johannes B. Ullrich (July 10, 2018). "Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp)". SANS ISC InfoSec Forums. Retrieved July 11, 2018.
- "Double-dip Internet-of-Things botnet attack felt across the Internet".
- The Economist, 8 October 2016, The internet of stings
- "Today the web was broken by countless hacked devices". theregister.co.uk. 21 October 2016. Retrieved 24 October 2016.
- "Blame the Internet of Things for Destroying the Internet Today". Motherboard. VICE. Retrieved 27 October 2016.
- "NCA Northern Ireland Performance Q1 2018/19 (April – June 2018)" (PDF). National Crime Agency. 22 August 2018. p. 10.
- "Former Rutgers student pleads guilty in cyber attacks". North Jersey. Retrieved 2017-12-14.
- "Think Mirai DDoS is over? It ain't!!".
- "Unprecedented cyber attack takes Liberia's entire internet down". The Telegraph. Retrieved 21 November 2016.
- "DDoS attack from Mirai malware 'killing business' in Liberia". PCWorld. Retrieved 21 November 2016.
- "Massive cyber-attack grinds Liberia's internet to a halt". The Guardian. Retrieved 21 November 2016.
- IBM X-Force Exchange (January 26, 2018). "Okiru botnet targets ARC processors widely used in IoT devices". IBM X-Force. Retrieved February 4, 2018.
- Krebs, Brian (30 November 2016). "New Mirai Worm Knocks 900K Germans Offline". krebsonsecurity.com. Retrieved 14 December 2016.
- "German leaders angry at cyberattack, hint at Russian involvement | Germany | DW.COM | 29.11.2016". Deutsche Welle. Retrieved 5 January 2017.
- "New Mirai Variant Embeds in TalkTalk Home Routers". www.incapsula.com. Retrieved 2016-12-18.
- "Router hacker suspect arrested at Luton Airport". BBC News. 2017-02-23. Retrieved 2017-02-23.
- Clark, Adam; Mueller, Mark. "FBI questions Rutgers student about massive cyber attack". NJ.com. Retrieved 25 January 2017.
- Justice, Department of. "Justice Department Announces Charges And Guilty Pleas In Three Computer Crime Cases Involving Significant Cyber Attacks". justice.gov. Retrieved 13 December 2017.
- Check Point Research (December 21, 2017). "Huawei Home Routers in Botnet Recruitment". Check Point. Retrieved February 4, 2018.
- Catalin Cimpanu (December 22, 2017). "Amateur Hacker Behind Satori Botnet". Bleeping Computer. Retrieved February 4, 2018.
- "NCA Northern Ireland Performance Q1 2018/19 (April – June 2018)" (PDF). National Crime Agency. 22 August 2018. p. 10.