First discovered in 2016, the Mirai botnet took over an unprecedented number of devices and dealt massive damage to the internet. Now it’s back and more dangerous than ever.
The New and Improved Mirai Is Infecting More Devices
On March 18, 2019, security researchers at Palo Alto Networks unveiled that Mirai has been tweaked and updated to accomplish the same goal on a larger scale. The researchers found Mirai was using 11 new exports (bringing the total to 27), and a new list of default admin credentials to try. Some of the changes target business hardware, including LG Supersign TVs and WePresent WiPG-1000 wireless presentation systems.
Mirai can be even more potent if it can take over business hardware and commandeer business networks. As Ruchna Nigam, a Senior Threat Researcher with Palo Alto Networks, puts it:
These new features afford the botnet a large attack surface. In particular, targeting enterprise links also grants it access to larger bandwidth, ultimately resulting in greater firepower for the botnet for DDoS attacks.
This variant of Miria continues to attack consumer routers, cameras, and other network-connected devices. For destructive purposes, the more devices infected, the better. Somewhat ironically, the malicious payload was hosted on a website promoting a business that dealt with “Electronic security, integration and alarm monitoring.”
Mirai Is a Botnet That Attacks IOT Devices
If you don’t remember, in 2016 the Mirai botnet seemed to be everywhere. It targeted routers, DVR systems, IP Cameras and more. These are often called Internet of Things (IoT) devices and include simple devices like thermostats that connect to the internet. Botnets work by infecting groups of computers and other Internet-connected devices and then forcing those infected machines to attack systems or work on other goals in a coordinated fashion.
Mirai went after devices with default admin credentials, either because no one changed them or because the manufacturer hardcoded them. The botnet took over a massive number of devices. Even if most of the systems weren’t very powerful, the sheer numbers worked could work together to achieve more than a powerful zombie computer could on its own.
Mirai took over nearly 500,000 devices. Using this grouped botnet of IoT devices, Mirai crippled services like Xbox Live and Spotify and websites like BBC and Github by targeting DNS providers directly. With so many infected machines, Dyn (a DNS provider) was taken down by a DDOS attack that saw 1.1 terabytes of traffic. A DDOS attack works by flooding a target with a massive amount of internet traffic, more than the target can handle. This will bring the victim’s website or service to a crawl or force it off the internet entirely.
The original creators of the Marai botnet software were arrested, pleaded guilty, and given terms of probation. For a time, Mirai was shut down. But enough of the code survived for other bad actors to take over Mirai and alter it to fit their needs. Now there’s another variant of Mirai out there.