Created by Josiah White, Paras Jha, and Dalton Norman, the Mirai botnet was originally written in C for bots and Go for controllers, with the initial goal of taking rival Minecraft servers offline using distributed attacks by denial of service (DDoS). The Mirai botnet quickly spread to infect thousands of Internet of Things (IoT) devices and evolved to conduct full-scale, large-scale attacks. After noticing an increase in infections, Mirai caught the attention of the nonprofit organization MalwareMustDie in August 2016, which then began researching, analyzing, and tracking the botnet.
Mirai aims to compromise IoT (Internet of Things) devices running on Linux operating systems, turning them into remotely controlled systems, part of botnet networks. Devices targeted by this threat include surveillance web cameras, digital video recorders (DVRs), WiFi routers, or other types of Internet-connected devices.
DDoS attacks
The first large-scale Mirai attack was in September 2016 against a French technology company, OVH. The attack reaches an unprecedented peak of 1 Tbps and is estimated to have used approximately 145,000 devices to amplify the attack. The second largest attack peaks at around 400 Gbps. After the attack on OVH, Krebs on Security, created by journalist Brian Krebs, was flooded with more than 600 GB of data at the end of September 2016.
On September 30, 2017, one of the botnet authors decided to release the source code on a forum of popular hackers. Soon, Mirai begins to be used by several attackers. In addition to making it much more difficult to identify attackers, the release of the code allowed an increase in the number of DDoS attacks carried out.
Since then, new and more destructive components have been added with the aim of reaching more devices per de one hand and to increase the speed on the other. In addition, new variants of Mirai have been created that include more functionality, such as the ability to attack computers as well as IoT devices to increase data production. The success of this botnet and its variants is based on the weak security of IoT products and technology.
On October 21, 2016, a Mirai attack targeted the popular DNS provider DYN, which prevented Internet users from accessing many popular websites, including AirBnB, Amazon, Github, HBO, Netflix, Paypal, Spotify, Reddit, and Twitter, by disrupting the DYN name resolution service.
On November 26, 2016, one of the largest German internet providers Deutsche Telekom suffered a massive outage after 900,000 of its routers were compromised.
How Mirai works The Mirai
botnet exploits the vulnerability of IoT devices, whose management interfaces are accessible from the Internet without proper security, using default configurations and credentials.
Mirai propagates by scanning the IP address space to identify IP addresses used by IoT devices and forcing authentication to them, replicating once it infects and locates another vulnerable IoT device. Propagation is accomplished by using infected IoT devices to scan the Internet for additional vulnerable targets. If a suitable device is found, the already infected device reports the findings to a server. When the server has the list of vulnerable devices, it loads a payload and infects the target.
How to protect ourselves from Mirai
DDoS attacks are generally impossible to avoid, especially those of significant magnitude, such as those associated with the Mirai botnet. Thus, those targeted by such attacks can try to mitigate them with support from the Internet provider and/or by using quite expensive anti-DDoS technologies (depending on the magnitude of the attack), but no mechanism and no technology guarantees to stop such an attack.
Users of IoT devices connected to the Internet can take a series of measures to prevent their compromise, CERT-RO recommends the following:
- permanent updating of installed software versions
- changing the default credentials (user, password) for their administration
- using antivirus solutions that cover all devices
- separating networks so that IoT devices are on different networks from vulnerable systems
- securing access by enabling the firewall module or limiting the number of failed authentication attempts allowed
- disabling unnecessary services (SSH, HTTP, Telnet ie)
- restricting access by remote
- periodic monitoring of traffic generated by devices
We encourage you to invest in a secure and optimal hosting plan - choosing any of the NSHOST web shared, VPS or Cloud and allocate the necessary time to a caching policy suitable for your business to ensure optimal load times for each web page.