What is Mirai?

Mirai is malware that infects IoT devices running Linux and turns them into a botnet. Botnets of this kind are used by cybercriminals as tools to carry out such things as DDoS attacks, spam, phishing, and click fraud.

Example of a botnet


A definition of Mirai

Mirai is a type of Linux malware that exploits vulnerabilities in IoT devices (Internet of Things) such as routers, IP cameras, networked household appliances, and smart TVs to infect them with malicious code. The worm attempts to find vulnerable devices on the internet, take control of them, and turn them into a botnet that can then be remotely controlled. Attackers use botnets like this for a variety of criminal activities – from distributed denial of service (DDoS) attacks to spam and phishing campaigns to data theft and click fraud. Incidentally, the name of the malware is said to be derived from the “Future Diary” anime series, originally entitled “Mirai Nikki” in Japanese. “Mirai” is a Japanese given name that means “future.”


Who is behind Mirai?

The Mirai worm was originally written by two Americans, Paras Jha and Josiah White, the founders of ProTraf Solutions, a DDoS mitigation service company. Their business model entailed directly blackmailing companies by launching DDoS attacks carried out via their botnet or selling defensive services to the companies they attacked. In other words, they were paid to put out the fires that they themselves had set. They also used their Mirai botnet for click fraud and rented it out to other cybercriminals.

Along with another accomplice, Jha and White pleaded guilty to all of the above at the end of 2017. Less than a year later, the three defendants were sentenced to five years of probation, 2,500 hours of community service, and payment for restitution. In the fall of 2016, even before they were targeted by law enforcement, the authors of Mirai had published the source code of their malware in a hacking forum under the pseudonym “Anna-senpai.” That is why Mirai is still very active today. Based on the source code, malware authors continue coming up with new variants or derivatives of the Mirai family with additional features used in attacks.


How does Mirai work?

Mirai continuously scans the internet for publicly accessible IoT devices lacking password protection or using common factory default usernames and passwords. Once the malware has identified vulnerable devices, it tries a variety of default credentials to access the admin interface and report the infected devices to a “command and control” (C&C) server. The systems discovered using this method then become members (bots) of a botnet and can be remotely controlled via the C&C server to independently carry out a series of attacks and infect other devices. Insidiously, Mirai infections can occur without users actively downloading or executing the malware.


What is indicative of a Mirai infection?

Infection with the malware usually occurs without users noticing a thing. Detecting a Mirai infection is unfortunately no easy task. In some cases, reduced device performance, a slow internet connection, or increased bandwidth can be signs that a device is being used as a bot to perform other activities in the background. However, none of these indicators will necessarily occur. That makes it all the more important to prevent infection and take preventive measures against attacks from botnets.


What risks are posed by botnets such as Mirai?

Malicious actors use botnets for a wide variety of attacks. Their motivation is usually financial. Botnet-based attacks can now even be purchased as a service for very little money, which means that criminals lacking the technical expertise can also exploit the huge potential harm caused by botnets for their own purposes. The range of criminal activities includes:

DDoS attacks

Using their own or leased botnets, cybercriminals often carry out DDoS attacks on websites, web applications, APIs, or IT infrastructure in order to overload the intended target with a massive volume of automated requests and thus bring it to its knees. The more bots are joined together, the more powerful the attack. Attackers often combine DDoS with blackmail: They threaten to carry out more overload attacks if the companies under attack do not pay protection money. The original Mirai authors also used their botnet for these criminal purposes.

Spam & phishing

Sending spam or phishing emails en masse is one of the most common uses of botnets. This is how criminals seek, among other things, to spread malware or to persuade unsuspecting users to divulge access data and other sensitive information.

Credential stuffing

By using a multitude of bots, attackers quickly test a huge number of user/password combinations via automated queries to webshops, online banks, or even company accounts. Confirmed credentials for active accounts are then sold on the darknet, or the information is used for more extensive attacks.


Devices incorporated into a botnet can be used as proxies to hide their own IP address and thus surf the internet anonymously using third-party IPs. This is done by simply routing data traffic through the botnet.


Some operators of botnets exploit the concentrated computing power of the devices they hijack to secretly mine cryptocurrencies and generate revenue directly.

Click fraud

Even the creators of Mirai used and rented out their botnet for click fraud. In this form of online fraud, bots are used to click on certain ads or affiliate links on websites in order to specifically manipulate the pay-per-click data of the advertising billing system, generating revenue at the advertiser’s expense.


Known attacks using Mirai

In 2016, the original Mirai botnet consisted of approx. 500,000 compromised IoT devices around the world. The botnet later grew to include several million devices. With this vast number of bots, cybercriminals carried out numerous attacks, especially in the early days of Mirai:

Minecraft server/OVH

The first known attacks using Mirai took aim at the servers of Minecraft, a popular online game. One of the victims was French hosting provider OVH, which was the target of one of the largest DDoS attacks to date in September 2016. In 2017 and 2018, additional attacks used Mirai to target Minecraft servers, such as the Minecraft Hypixel network.


Also in September 2016, a DDoS attack carried out using Mirai resulted in the blog of investigative journalist and IT security expert Brian Krebs being unavailable for several days. Motivated by this, Krebs set out to uncover the identity of the creators of Mirai, which he succeeded in doing following months of research.


In October 2016, a massive DDoS attack hit DNS service provider Dyn, forcing its servers to their knees. As a result, the American service provider’s customers were unavailable or only partially accessible for hours, including major players such as Twitter, Reddit, GitHub, CNN, The Guardian, Amazon, Netflix, and Spotify. The attack was carried out via the Mirai botnet, among others. The SpainSquad, Anonymous, and New World Hackers hacker collectives subsequently publicly admitted to being responsible.

Router/Deutsche Telekom

A worldwide attack by the Mirai botnet on selected remote maintenance interfaces of DSL routers crippled more than 900,000 of Deutsche Telekom’s network of Speedport routers in November 2016. Although the devices were not compromised, they still failed due to an internal error. As a consequence, affected Telekom customers were unable to make phone calls or go online.


What provides protection against Mirai?

Mirai exists entirely in the volatile memory of infected systems. This is why rebooting an infected device is enough to remove the malware. However, the system may get repeatedly reinfected while connected to the internet and only protected by a default password. For this reason, devices connected to the internet should always be secured with a unique, strong password.

It is also a good idea to install firmware and security updates for systems and devices as soon as possible. If updates are no longer available, you should also check whether IoT devices such as IP cameras or smart TVs can be operated on the local network without being connected to the internet.

DDoS attacks carried out via botnets represent a major threat to companies. To avoid financial and reputational damage due to disruptions or outages, companies should take preventive measures to secure their web resources and IT infrastructure with dedicated DDoS protection, which can be purchased as a managed service. Protection against other typical botnet attacks is provided by a combination of a web application firewall (WAF) and bot management.


What you need to know about Mirai

Mirai ranks as one of the most active botnets since 2016. The computer worm bearing the same name targets a wide range of publicly available IoT devices to use as remote-controlled bots for illegal activities – from spam and phishing to credential stuffing and DDoS attacks. Insecure configurations and standard passwords often make it easy for criminals to take over IoT devices and turn them into botnets. In early 2022, new Mirai variants also specifically exploited the Log4Shell vulnerability in the Log4J Java library to use vulnerable IoT devices as tools in DDoS attacks or cryptomining. Botnet-based attacks have huge potential for harm. That is why companies should take preventive measures to protect themselves against them, with dedicated DDoS protection, for example.