Mirai (malware)
| Original author(s) | "Anna-senpai" (online pseudonym) |
|---|---|
| Repository | github |
| Written in | C (agent), Go (controller) |
| Operating system | Linux |
| Type | Botnet |
Mirai (Japanese for "the future", 未来) is malware that turns computer systems running Linux into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet was firstly found in August 2016 by MalwareMustDie, a whitehat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's web site, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a leaked chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime Mirai Nikki.
The source code for Mirai has been published in hacker forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects.
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP Address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.
Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes. Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports.
...
Wikipedia