Mirai Attacks

Javid Chizari

9/30/20222 min read

Mirai is an open-source malware created to take over "busybox" systems and carry out DDoS (Distributed Denial of Service) attacks on IoT devices and turning them into botnets or zombies. BusyBox is a mixture of tiny varieties of many common UNIX utilities crafted into a single small executable and is commonly used on IoTs.

Mirai spreads by brute-forcing telnet servers running on unsecured ports 22, 23, and 80. It starts by using the factory default credentials on the devices, which most IoT users fail to change when activating them. As the malware gets inside, it kills the control panel and locks out the owners or users.

Mirai’s huge success in DDoS attacks is indebted to IoTs’ simplicity, lack of anti-malware, and the massive number of them connected to the internet, widening the attack surface while infecting them doesn’t need social engineering, sophisticated and expensive malware to bypass IDS or IPS, which are used in conventional devices such as computers. IoTs are easier to infect and harder to be detected because of IoTs various capabilities and environments while facing serious challenges in applying complex security measures due to OS implications and cost efficiency.

The simplicity of Mirai and open access to its source code have certainly contributed to the rise and evolution of Mirai, improving and expanding its capabilities. The attack on Dyn and pushing many popular services offline was a loud alert to be heard, and plan to prevent it from happening again. Steps that could be taken to minimize the risks:

  • Applying recommendations made by CISA or CIS

  • Network segmentation

  • Maintenance and updating the IoT devices

  • Changing the default factory settings

  • Routine anomaly checks

  • Applying Blacklist/whitelist principle

  • Securing modems, routers, and other network devices that IoTs connect to them