Class 8 Lab 2 ‐ Mirai Botnet Research - Justin-Boyd/CIT-Class GitHub Wiki
What is Mirai?
Answer
Mirai is malware that targets devices running the Linux OS, such as personal routers and IP cameras, and turns them into bots.
Who was the first to identify the malware?
Answer
A White Hat malware research group called MalwareMustDie
What kind of attack was it?
Answer
Multiple Distributed Denial of Service attack.
When did the attack take place?
Answer
October 21, 2016
Who was the target?
Answer
Dyn, a major DNS provider responsible for the DNS of Netflix, Reddit, GitHub, Twitter, Airbnb, and others.
How does Mirai work?
Answer
Mirai scans the web for IPs of IoT devices and uses default credentials from a list of 60 common devices. If it successfully connects, it infects the devices and turns them into bots that perform the same steps. The malware does not interrupt the device's functionality, except for causing increased bandwidth usage.
How can the Mirai malware be mitigated?
Answer
The Mirai malware exploited the public’s naivity and worked through default credentials used in IoT devices. Therefore, mitigation could have been as simple as changing the default credentials of devices with management interfaces that could connect to the network.
Are there any mutations or variations of Mirai?
Answer
Satori exploited a zero-day in Huawei routers.
Okiru targeted ARC processors.
Masuta/PureMasute used a D-Link router to achive RCA on IoT devices.
OMG turned IoT devices into proxy servers.
Wicked targeted Netgear routers and closed circuit camera DVRs.
And there were many more such cases.