Mirai malware transforms connected devices, like baby monitors and doorbells, into an army that hackers can control remotely. The so-called Mirai botnet can take down websites, servers, and other key assets for days at a time.
A major cyber attack in October 2016 is related to Mirai malware. But the threat isn't over. Mutations to the Mirai virus continue even now.
What is the Mirai botnet?
The Mirai botnet is made of devices capable of connecting to an internet address. Each device reaches out to a central server that directs the attack.
Let's break down the pieces of this threat:
- Devices: Connected internet of things (IoT) devices have stripped-down operating systems, and they can connect to the internet. They're often shipped from the factory with preset usernames and passwords owners rarely change.
- Infection: IoT devices have open Telnet ports. Mirai malware developers search for those open ports, and they attempt to log in with 61 username/password combinations often used as defaults.
- Malware: With login complete, the device downloads and implements malware.
- Botnet: All IoT devices with the malware are part of a network (or botnet) that works collectively on a goal set by hackers.
The Mirai botnet's first iteration was a money-making worm created by two owners of a DDoS mitigation company. In essence, they infected targets and then asked owners to pay them for "protection" from the same attack.
The idea was sparked by Minecraft. Players log onto a hosted server, and while they're engaged in the virtual world, they make real-world purchases to lengthen their game time. Knocking a hosting server offline could mean losing thousands of dollars. Victims were willing to pay to stay online.
But the Mirai botnet developers started widening their attack surface. What started as an idea used to dominate the Minecraft reality became a tool capable of hurting almost everyone.
How does Mirai malware work?
When an IoT device is infected with Mirai malware, it can launch tiny attacks against a selected victim. But if thousands of IoT devices are infected, the impact is impossible to ignore.
An infected IoT device can:
- Access. The device reaches out to a central server for instructions. Then, it begins to ask for access to a specified server over and over again.
- Reinfect. Turning off the device can mean stopping an attack and the malware. But if the port stays open, the problem returns with new source code.
- Dominate. Any other malware on the device is removed, so the Mirai malware is the only one running.
- Hide. IoT owners may notice slight sluggishness and nothing more.
Mirai malware was implicated in a cyber attack in October of 2016. The botnet turned to a website for Dun, which offers domain name system services. The company hosted big-name websites, including Wired. When it went down due to overwhelming traffic due to IoT devices, much of the East Coast went down as well. Entire companies shut down for the weekend due to a lack of connectivity.
Authorities got involved, and the Mirai botnet developers panicked. In a rush to protect themselves, they released the Mirai source code. The developers hoped that widespread access to the code could shield them. In essence, they could claim that everyone knew the code, and they got it from elsewhere.
Unfortunately, releasing the code ensured that these attacks would persist, in some form, forever.
Mirai Bot Changes With Time
As soon as the source code was released, hackers started tweaking and adjusting and experimenting. The attacks they launched were devastating.
In 2017, for example, a new variant allowed developers to infect home routers secured with strong passwords. When experts discovered it, the botnet was included in an estimated 100,000 devices, all ready to go when the developer offered instructions.
This is just one example of many. As long as IoT devices remain even slightly insecure, more variants are likely to appear.
Why Can’t We Stop the Mirai Botnet?
We know how the Mirai malware works, and we understand how the devices can harm us. Eradication seems a reasonable next step, but unfortunately, it's hard to accomplish.
The Mirai worm persists due to:
- Low consumer interest. An infected device still works reasonably well, and it doesn't pose a risk to the person who owns it. People don't feel compelled to change anything about items that seem to work.
- Poor manufacturer compliance. Cost concerns keep most manufacturing companies from investing in security. The more stripped down the device, the lower the price point.
- No overarching government insight. Some states have laws about IoT security. In California, for example, IoT devices must be shipped with unique passwords, or manufacturers must require users to set a password before they get started. But there are no federal laws or global laws that ensure widespread compliance.
- Inadequate skills. Some companies offer security patches for their devices. But some people aren't sure how to apply them to their connected devices, and others have no idea that these patches exist.
As long as we live in a world filled with connected devices and poor security practices, the Mirai threat is likely to persist.
What Can You Do to Stop the Mirai Worm?
Mirai malware is stored in device memory. Rebooting your device, by unplugging it and leaving it that way for a few moments, is usually enough to stop an attack in progress and clean your device.
But unless you change your device username and password, reinfection is likely. As soon as you reboot, change those settings. Repeat often for the best chance at protection. If you're not sure how to tackle these steps, contact the device manufacturer for help.
Don't expect the manufacturer to install firmware updates. Automatic security setting changes can leave your device vulnerable to man-in-the-middle attacks.
Who Is Anna-Senpai, the Mirai Worm Author? (January 2017). Krebs on Security.
Source Code for IoT Botnet 'Mirai' Released. (October 2016). Krebs on Security.
What We Know About Friday's Massive East Coast Internet Outage. (October 2016). Wired.
100,000-Strong Botnet Built on Router 0-Day Could Strike at Any Time. (December 2017). Ars Technica.
IoT Manufacturers: What You Need to Know About California's IoT Law. (January 2020). The National Law Review.
Leaked Mirai Malware Boosts IoT Insecurity Threat Level. (October 2016). Security Intelligence.