Mirai is a Japanese word meaning “the future”. Mirai malware infects IoT devices running BusyBox. Mirai was known in 2016 when it was used in Denial of Service attack against Brian Krebs Security Blog “Krebs On Security” as one of its initial targets. Mirai malware is a cross-platform worm categorized as an Executable Linkable Format (ELF). In recent times, Mirai is one of the most predominant Distributed Denial of Service Internet of Things (DDoS) botnet. Not as sophisticated as Remaiten botnet but however more effective, Mirai botnet is absolutely the next step in IoT DDoS botnet malwares. The source code of Mirai is written in C and the main but not sole objective of the malware is the infection of routers and IP cameras by continously scanning ports 22, 23 and 5747. Mirai employs a brute force method to guess passwords through dictionary attack.
Mirai tries to login, gain entry and infect an IoT device once it gets connected to the device. The infected device in turn scans other networks searching for devices to infect. A piece of hardware or a daemon with a root previledge to retstart a system is known as a daemon. Mirai locates watchdog at /dev/watchdog or /etc/watchdog, depending on where it is located and immediately deletes it. To check if a system is running, the Linux kernel make use of a watchdog. The watchdog automatically reboot hanged system that happened as a result of unrecoverable software errors. Watchdog is usually not required in personal computers since the computer users can reboot the system manually. Mission critical systems and embedded systems like IoT however need a watchdog to reboot automatically without the need for a human intervention. Mirai also locates a malware process with a similar characteristics like Zollard or Qbot and kills it. The Mirai malware conceals it’s process, proceeds to open UDP port 53 to reach out to Google DNS server located at 184.108.40.206 and gain a connection. Mirai malware spot an outbound interface and opens a random TCP port to communicate with the C & C server. Once the malware is up and running, the malware will deletes it’s executables to avoid trace while it’s process is ongoing.
Since Mirai malware process exists in the dynamic memory, disconnecting the device from the network and rebooting the device is all that is needed to eradicate the malware. Mirai botnet setup comprises of three major components: bot, scanListen/loading server and the C & C server which also serves as a MySQL database server. The database could be use to create user accounts for customers wishing to hire DDoS-as-a-service. Upon infection and becoming a bot, an IoT device tries connecting to the listening C & C server by resolving it’s domain name and opening a socket connection. Next, it sends SYN packets to scan the network to random IP addresses and awaits a response. The bot scans a large number of IP addresses hence the process takes a while to complete. The bot tries to open a socket connection to that device and emulates TELNET protocol upon finding a vulnerable device with an exposed TELNET port. Next it attempts gaining access using a list of default credentials and upon finding the right credentials, report the IP address of the discovered device and the right TELNET login credentials to the listening scanListen server. The scanListen server sends that information to the loader which also logs into the discovered device using the credentials received from the scanListen server. The loader downloads the Mirai bot binary to the discovered device upon logging in and the new bot connects to the C & C server and begins scanning the network.
Mirai infected 4000 IoT devices per hour during its peak and currently estimated to have a little more than half a million infected active IoT devices. Mirai botnet is well known for being used in the record breaking 1.1 Tbps DDoS attack with 148000 IoT devices. Targets are mostly CCTV cameras, DVRs and home routers. According to According to Krebs Paras Jha who goes with an alias “Anna-senpai” is the supposed author of the Mirai malware. Anna-senphai released the Mirai source code as open source on Hackforums, an English-based hacking community. The number of IoT infected devices has raised from 213,000 to 483,000 in a couple of weeks since the release of the Mirai source code. Mirai DDoS attack strength ranges from 200 Gbps to 1.2 Tbps (Angrishi, 2017). To carry out DDoS attack, Mirai can generates floods of GRE IP, GRE ETH, SYN, ACK, STOMP, DNS, UDP or HTTP traffic against a target.