The Mirai botnet explained: How teen scammers and CCTV cameras almost brought down the internet

Mirai took advantage of insecure IoT devices in a simple but clever way. It scanned big blocks of the internet for open Telnet ports, then attempted to log in default passwords. In this way, it was able to amass a botnet army.

bunch of toy robots

On October 12, 2016, a massive distributed denial of service (DDoS) attack left much of the internet inaccessible on the U.S. east coast. The attack, which authorities initially feared was the work of a hostile nation-state, was in fact the work of the Mirai botnet.

This attack, which initially had much less grand ambitions — to make a little money off of Minecraft aficionados — grew more powerful than its creators ever dreamed possible. It's a story of unintended consequences and unexpected security threats, and it says a lot about our modern age. But to understand it, you need a little background.

How botnets work

If you want to get into the details, check out this primer on the subject, but in a nutshell, a botnet is a collection of internet-connected computers — the "bots" — that are under remote control from some outside party. Usually these computers have been compromised by some outside attacker who controls aspects of their functionality without the owners knowing.

Because there are many bots, the controllers basically have access to a sort of hacked-together supercomputer that they can use for nefarious purposes, and because the bots are distributed over various parts of the internet, that supercomputer can be hard to stop. The very first botnet was built in 2001 to send spam, and that's still a common use: because the unwanted messages are being sent from so many different computers, they're hard for spam filters to block. Another common use — and the one the Mirai botnet served — is as foot soldiers in a DDoS attack, in which a target server is simply bombarded with web traffic until it's overwhelmed and knocked offline.

How to make a botnet

Traditionally, botnets are created by compromising home PCs, which often had a number of vulnerabilities. PCs could be captured either through unprotected network ports or via trojans or other malware, often spread by spam, that would open backdoors attackers could access. Once the PC is compromised, the controller — known as a bot herder — issues commands via IRC or other tools. Sometimes commands come from a central server, though more often now botnets have a distributed architecture that makes their controllers harder to track down.

What is an IoT botnet?

Over the years, PC makers have gotten savvier about building security into their computers. But another tempting target is out there for botnet builders: Internet of things (IoT) devices, a blanket term for various gadgets that most people don't think of as computers, but that still have processing power and an internet connection. These devices, ranging from home routers to security cameras to baby monitors, often include an embedded, stripped down Linux system. They also often have no built-in ability to be patched remotely and are in physically remote or inaccessible locations.

By 2017, there were 8.4 billion of these "things" out there on the internet, ripe for the plucking. Mirai took advantage of these insecure IoT devices in a simple but clever way. Rather than attempting to use complex wizardry to track down IoT gadgets, it scanned big blocks of the internet for open Telnet ports, then attempted to log in using 61 username/password combos that are frequently used as the default for these devices and never changed. In this way, it was able to amass an army of compromised closed-circuit TV cameras and routers, ready to do its bidding.

What was the Mirai botnet attack?

But let's back up a bit. Who built Mirai, and what was its purpose?

While much of the malware ecosystem emerges from the murky underworld of Eastern European organized crime or nation-state intelligence services, we actually have names and places to go with this particularly striking attack. Paras Jha, an undergraduate at Rutgers, became interested in how DDoS attacks could be used for profit. He launched a series of minor attacks against his own university's systems, timed to match important events like registration and midterms, all the while trying to convince them to hire him to mitigate those attacks.

He also was big Minecraft player, and one of the quirks of the Minecraft economy is that there's good money to be made in hosting Minecraft game servers — which leads to running skirmishes in which hosts launch DDoS attacks against their rivals, hoping to knock their servers offline and attract their business.

Mirai was another iteration of a series of malware botnet packages developed by Jha and his friends. Jha, who loved anime and posted online under the name "Anna-Senpai," named it Mirai (Japanese for "the future", 未来), after the anime series Mirai Nikki, or "future diary." It encapsulated some clever techniques, including the list of hardcoded passwords. But, in the words of an FBI agent who investigated the attacks, "These kids are super smart, but they didn’t do anything high level—they just had a good idea."

Mirai DDoS

Mirai's first big wave of attacks came on September 19, 2016, and was used against the French host OVH — because, as it later turned out, OVH hosted a popular tool that Minecraft server hosts use to fight against DDoS attacks. A few days later, "Anna-Senpai" posted the code of the Mirai botnet online — a not-uncommon technique that gives malware creators plausible deniability, because they know that copycats will use the code, and the waters will be muddied as to who created it first. The big attack on October 12 was launched by somebody else against Dyn, an infrastructure company that among other things offers DNS services to a lot of big websites. The FBI believes that this attack was ultimately targeting Microsoft game servers.

In December 2016, Jha and his associates pled guilty to crimes related to the Mirai attacks. But by then the code was in the wild and being used as building blocks for further botnet controllers.

Mirai botnet source code

And yes, you read that right: the Mirai botnet code was released into the wild. That means that anyone can use it to try their luck infecting IoT devices (most of which are still unprotected) and launching DDoS attacks against their enemies, or selling that power to the highest bidder. Many cybercriminals have done just that, or are tweaking and improving the code to make it even harder to fight against.

Mirai botnet analysis and detection

The good folks at Imperva Incapsula have a great analysis of the Mirai botnet code. You should head over there for a deep dive, but here are some of the high points:

  • Mirai can launch both HTTP flood and network-level attacks
  • There are certain IP address ranges that Mirai is hard-wired to avoid, including those owned by GE, Hewlett-Packard, and the U.S. Department of Defense
  • Upon infecting a device, Mirai looks for other malware on that device and wipes it out, in order to claim the gadget as its own
  • Mirai's code contains a few Russian-language strings—which, as we later learned, were a red herring about its ultimate origins

Imperva Incapsula also has a tool that will scan your network looking for vulnerabilities, particularly looking for devices that have the logins and passwords on Mirai's list. Because Mirai stores itself in memory, rebooting the device is enough to purge any potential infection, although infected devices are generally re-infected swiftly. Therefore, the recommendation is to change the password to something stronger before rebooting if you have any vulnerable devices.

Security Smart: 4 Common Password Myths ... Debunked!