|Original author(s)||"Anna-senpai aka LiteSpeed"
|Written in||C (agent), Go (controller)|
Mirai (Japanese for "the future", 未来) is malware that turns networked devices running Linux into remotely controlled "bots" that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a leaked chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP Address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.
Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes. Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports.
There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack. The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.
Mirai was used, alongside BASHLITE, in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s. Ars Technica also reported a 1 Tbit/s attack on French web host OVH.
On 21 October 2016 multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, resulting in the inaccessibility of several high-profile websites such as GitHub, Twitter, Reddit, Netflix, Airbnb and many others. The attribution of the Dyn attack to the Mirai botnet was originally reported by Level 3 Communications.
Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.
Mirai has also been used in an attack on Liberia's Internet infrastructure in November 2016. According to computer security expert Kevin Beaumont the attack appears to have originated from the actor which also attacked Dyn.
On January 17, 2017, computer security journalist Brian Krebs posted an article on his blog, Krebs on Security, where he disclosed the name of the person who he believed to have written the malware. Krebs stated that the likely real-life identity of Anna-senpai (named after Anna Nishikinomiya, a character from Shimoneta), the author of Mirai, was actually Paras Jha. Jha is the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University. In an update to the original article, Paras Jha responded to Krebs and denied having written Mirai. FBI was reported to have questioned Jha on his involvement in the October 2016 Dyn cyberattack.
At the end of November 2016, approximately 900,000 routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices. While TalkTalk later patched their routers, a new variant of Mirai was discovered in TalkTalk routers.
A British man suspected of being behind the attack has been arrested at Luton Airport, according to the BBC.