Timeline of Mirai: the internet of things botnet | Malware and IoT | What is Mirai?

White hat security researchers at MalwareMustDie discovered a new trojan that played on the ELF file execution format found in Unix. They discovered that the binary was called “mirai.*”, and its main functionality was sending out telnet attacks to other systems. MalwareMustDie warned at the time that ELF Linux/Mirai had an extremely low detection ratio, including in x86 architecture. “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR, or WebIP Camera,” they wrote. 

In short, Mirai searches the internet for devices that are easy to compromise and brute-forces its way in using a list of simple passwords. It then hunts for more vulnerable devices via the Telnet remote network protocol, creating an enormous self-replicating network that can be pointed at websites or services.

Independent security researcher Brian Krebs had a DDoS pointed at his website in September, running at an astonishing 620 Gigabits per second. The company that protects his website, Akamai, noted that the attack appeared to “have been launched almost exclusively by a very large botnet of hacked devices”.

“Someone has a botnet with capabilities we haven’t seen before,” Akamai’s Martin McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks, they were everywhere.”

The CTO of French cloud and web hosting company OVH, Octave Klaba, reported a huge DDoS attack on several of its customer’s websites. Klaba noted that the attacks came from 145,607 separate devices, sending a DDoS at OVH at more than 1.5 Terabytes per second. They were largely from WebIP cameras, but OVH also noticed traffic from routers, NAS boxes, DVRs and Raspberry Pis.

“What all these connected devices have in common is the existence of security vulnerabilities caused by a flawed software design or gross negligence on the part of their manufacturers,” OVH wrote in a blog post.

Someone called Anna-senpai said on the Hackforums message board that the scope of the Krebs attack had caused ISPs to “clean up their act” – and that the “max pull is about 300k bots, and dropping.” So the user made the code open source, free for all to access.

Colorado-based Level 3 Communications examined the command and control (C2) server that communicates with compromised IoT devices and estimated that these rose from 213,000 to at least 493,000 since the source code was made public.

“We have been able to identify bots via communications with the C2,” Level 3 wrote. “Once new bots are identified, their common communications lead to new C2s, which then lead to more bots.”

Dyn, a core internet services provider for Twitter, Spotify, Reddit and other popular websites, was hit with an enormous DDoS attack on its DNS infrastructure on the east coast of America. The DDoS caused the sites to slow down or stop working entirely.

An updated type of Mirai running code that exploits security holes in routers by OEM manufacturers Zyxel and Speedport brought down web access for almost a million Deutsche Telekom customers for two days.

Researchers at ICS SANS said: “For the last couple days, attacks against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This may have already caused severe issues for German ISP Deutsche Telekom and may affect others as well. For Deutsche Telekom, Speedport routers appeared to be the main issue.”

Two hackers calling themselves BestBuy and Popopret began advertising that their Mirai botnet of 400,000 bots was up for rent. BestBuy told a journalist for Motherboard that the two of them were behind the Deutsche Telekom outage and apologised. “It was not our intention,” BestBuy said.

Buyers could rent 20,000 compromised nodes for $2,000 to launch hour-long attacks across two weeks. For $20,000, customers could make full use of 600,000 bots capable of reaching traffic of 700 Gbps.

Mirai DDoS took much of Liberia’s websites offline throughout a week in November. Security researcher Kevin Beaumont wrote at the time: “Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access.

"From monitoring we can see websites hosted in the country going offline during the attacks – additionally a source in the country at a telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack.

"The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

British ISP TalkTalk reported that customers using its Dlink DSL-3780 router had been targeted by Mirai. Post Office Telecom, meanwhile, said that it had also been targeted by a suspected Mirai attack that left customers without access to broadband.

The security researcher whose own site was first famously attacked by Mirai, Brian Krebs, put in “hundreds of hours of research” – ultimately claiming that there were enough similarities between ‘Anna-Senpai’ to the owner of a DDoS mitigation company called ProTraf Solutions, Paras Jha. 

Kaspersky Lab researchers found that a Chinese-speaking hacker had created a version of Mirai based on the Windows operating system. The company pointed out that its ability to spread across operating systems was limited: “It can only deliver the Mirai bots from an infected Windows host to a vulnerable Linux IoT device if it is able to successfully brute-force a remote telnet connection.”

But it was a signal that the Mirai threat will evolve in new and unexpected ways, the researchers said, for some time to come.

The bot was coded and compiled on a Chinese system, Kaspersky added, and signed with stolen code-signing certificates from Xi’an JingTech electronic Technology and Partner Tech (Shanghai), a pair of silicon and wafer manufacturers.

The National Crime Agency arrested a 29-year-old man at Luton airport under suspicion of being the perpetrator of the Deutsche Telekom Mirai attack. Germany’s federal criminal police force is seeking extradition, who are treating the crime as a threat to the country’s wider infrastructure.