Corero
Blog & News

Understanding the Mirai Botnet Attack Type

What is the Mirai Botnet?

Mirai is a self-propagating botnet virus. The source code for Mirai was made publicly available by the author after a successful and well-publicized attack on security writer Brian Krebs’ website. Since then, the source code has been built and used by many others to launch attacks on internet infrastructure.

The Mirai botnet code infects poorly protected internet devices by using telnet to find those that are still using their factory default username and password. The effectiveness of Mirai is due to its ability to infect tens of thousands of these insecure devices and coordinate them to mount a DDoS attack against a chosen victim.

How Mirai Works

There are two main components to Mirai:

  1. The virus, itself.
  2. The command and control (C&C) server.

The virus contains the attack vectors. Mirai has ten vectors that it can launch plus a scanner process that actively seeks new devices to compromise. The C&C server is a separate image that controls the compromised devices (bots) sending them instructions to launch an attack against one or more victims.

Each bot runs the scanner process continuously using the telnet protocol on TCP port 23 or 2323. The process attempts to login into IP addresses at random and will try up to 60 different factory default username and password pairs. When a login succeeds, the identity of the new bot and its credentials are sent back to the C&C server.

The C&C supports a simple command line interface that allows the attacker to specify an attack vector, a victim’s IP address, and an attack duration. The C&C also waits for its existing bots to return newly discovered device addresses and credentials. It uses these to copy over the virus code, and in turn, create new bots.

The Mirai Code

The virus is built for multiple different CPU architectures (x86, ARM, Sparc, PowerPC, Motorola) to account for the various CPUs deployed in IoT devices. The image, itself, is small and employs several techniques to remain undiscovered and to obscure its internal mechanisms from reverse engineering attempts.

Once the virus is loaded into memory on the bot, it deletes itself from the bot’s disk. The virus will remain active until the bot is rebooted. Immediately after a reboot the device is free of the virus, however, it only takes a few minutes before it’s discovered again and re-infected.

The attack vectors are highly configurable from the C&C, but by default Mirai tends to randomize the various fields (port numbers, sequence numbers, ident, etc.) in the attack packets so they change with every packet sent.

How To Defend Against Mirai

Mirai will continue to be a threat until the poorly protected devices are secured, however the shoring up these devices is not something victims of Mirai attacks have any control over.

The Corero SmartWall® One DDoS protection platform has various protections against Mirai type attacks. Our Security Operations Team (SOC) also has in-depth experience in dealing with Mirai attacks and can enable additional mitigation functions for customers not already taking advantage of the SecureWatch® Managed Service offering.

Further Reading

Read more about Mirai