Mirai continuously scans the internet for publicly accessible IoT devices lacking password protection or using common factory default usernames and passwords. Once the malware has identified vulnerable devices, it tries a variety of default credentials to access the admin interface and report the infected devices to a “command and control” (C&C) server. The systems discovered using this method then become members (bots) of a botnet and can be remotely controlled via the C&C server to independently carry out a series of attacks and infect other devices. Insidiously, Mirai infections can occur without users actively downloading or executing the malware.
Malicious actors use botnets for a wide variety of attacks. Their motivation is usually financial. Botnet-based attacks can now even be purchased as a service for very little money, which means that criminals lacking the technical expertise can also exploit the huge potential harm caused by botnets for their own purposes. The range of criminal activities includes:
Using their own or leased botnets, cybercriminals often carry out DDoS attacks on websites, web applications, APIs, or IT infrastructure in order to overload the intended target with a massive volume of automated requests and thus bring it to its knees. The more bots are joined together, the more powerful the attack. Attackers often combine DDoS with blackmail: They threaten to carry out more overload attacks if the companies under attack do not pay protection money. The original Mirai authors also used their botnet for these criminal purposes.
Spam & phishing
Sending spam or phishing emails en masse is one of the most common uses of botnets. This is how criminals seek, among other things, to spread malware or to persuade unsuspecting users to divulge access data and other sensitive information.
By using a multitude of bots, attackers quickly test a huge number of user/password combinations via automated queries to webshops, online banks, or even company accounts. Confirmed credentials for active accounts are then sold on the darknet, or the information is used for more extensive attacks.
Devices incorporated into a botnet can be used as proxies to hide their own IP address and thus surf the internet anonymously using third-party IPs. This is done by simply routing data traffic through the botnet.
Some operators of botnets exploit the concentrated computing power of the devices they hijack to secretly mine cryptocurrencies and generate revenue directly.
Even the creators of Mirai used and rented out their botnet for click fraud. In this form of online fraud, bots are used to click on certain ads or affiliate links on websites in order to specifically manipulate the pay-per-click data of the advertising billing system, generating revenue at the advertiser’s expense.
In 2016, the original Mirai botnet consisted of approx. 500,000 compromised IoT devices around the world. The botnet later grew to include several million devices. With this vast number of bots, cybercriminals carried out numerous attacks, especially in the early days of Mirai:
The first known attacks using Mirai took aim at the servers of Minecraft, a popular online game. One of the victims was French hosting provider OVH, which was the target of one of the largest DDoS attacks to date in September 2016. In 2017 and 2018, additional attacks used Mirai to target Minecraft servers, such as the Minecraft Hypixel network.
Also in September 2016, a DDoS attack carried out using Mirai resulted in the blog of investigative journalist and IT security expert Brian Krebs being unavailable for several days. Motivated by this, Krebs set out to uncover the identity of the creators of Mirai, which he succeeded in doing following months of research.
In October 2016, a massive DDoS attack hit DNS service provider Dyn, forcing its servers to their knees. As a result, the American service provider’s customers were unavailable or only partially accessible for hours, including major players such as Twitter, Reddit, GitHub, CNN, The Guardian, Amazon, Netflix, and Spotify. The attack was carried out via the Mirai botnet, among others. The SpainSquad, Anonymous, and New World Hackers hacker collectives subsequently publicly admitted to being responsible.
A worldwide attack by the Mirai botnet on selected remote maintenance interfaces of DSL routers crippled more than 900,000 of Deutsche Telekom’s network of Speedport routers in November 2016. Although the devices were not compromised, they still failed due to an internal error. As a consequence, affected Telekom customers were unable to make phone calls or go online.
Always up to date
with Myra Security