Mirai is a malware turns the networked devices running Linux into remotely controlled “bots” that can be used as part of a botnet in large-scale network attacks. Online consumer devices such as IP cameras and home routers as primary targets.

Mirai is a malware that infected Linux IoT devices in August 2016. The attack was in the form of a botnet that generated a massive DDOS storm. High-profile targets included Krebs on Security, a popular internet security blog, Dyn, a very popular and widely used DNS provider for the internet, and Lonestar cell, a large telecom operator in Liberia. Smaller targets included Italian political sites, Minecraft servers in Brazil, and Russian auction sites. The DDoS on Dyn had secondary effects on other extremely large providers that used their services such as Sony PlayStation servers, Amazon, GitHub, Netflix, PayPal, Reddit, and Twitter. In total, 600,000 IoT devices were infected as part of the botnet collective.

Denial-of-Service (DoS) 

Denial-of-service(Dos) attack is a malicious attempt to make a server or network resources unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. DoS attack causes the system to crash or unable to respond in time to make the site unavailable to users. The most popular type of DoS attack occurs when a hacker “floods” the system by overloading the system with “useless traffic” so a user is prevented from accessing their e-mail, website, etc

Working of Mirai Bot

Let’s understand the working of Mirai Botnet

  • IoT devices which are bot-infected scans for random devices on the internet having IPv4 address spaces that run on telnet or SSH

The Mirai scanning workflow can be broken down into three primary activities:

  1. SYN Port Scan– probing the internet to identify possible targets
  2. Brute Force Authentication– performing simple pattern matches
  3. Report Success– results are sent to a centralized reporting server
  • Once the scan or login is successful, the bot sends the victim IP and login credentials to the report server, which triggers the loader to receive and push the malware infecting the device. The device is now a member of the botnet and now start to perform scanning activity on another device as any other node in the botnet.
  • Botnet Attacker will issue command and control (C2) server, this command and control system tells each bot node in the botnet to launch an attack with specific details, it will execute the desired attack.

Real-time Attack example of Mirai Bot : The 2016 Dyn cyberattack took place on October 21, 2016, and involved multiple distributed denial-of-service attacks (DDoS attacks) targeting systems operated by Domain Name System (DNS) provider Dyn, which caused major Internet platforms and services to be unavailable to large swathes of users in Europe and North America. The groups Anonymous and New World Hackers claimed responsibility for the attack, but the scant evidence was provided.

As a DNS provider, Dyn provides to end-users the service of mapping an Internet domain name — when, for instance, entered into a web browser—to its corresponding IP address. The distributed denial-of-service (DDoS) attack was accomplished through a large number of DNS lookup requests from tens of millions of IP addresses. The activities are believed to have been executed through a botnet consisting of a large number of Internet-connected devices—such as printersIP camerasresidential gateways and baby monitors—that had been infected with the Mirai malware.