Mirai (未来 in original Japanese, lit. meaning "the future") is malware that turns computer systems running the Linux operating system into remotely controlled "bots", that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as remote cameras and home routers. The Mirai botnet has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs's website, an attack on French web host OVH and the October 2016 Dyn cyberattack.
The source code for Mirai has been published in hacker forums as open-source. Since the source code was published, the techniques have been adapted in other malware projects.
Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP Address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.
Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them with the Mirai malware. Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes. Upon infection Mirai will identify "competing" malware and remove them from memory and block remote administration ports.
Victim IoT devices are identified by “first entering a rapid scanning phase (①) where it asynchronously and “statelessly” sent TCP SYN probes to pseudo-random IPv4 addresses, excluding those in a hard-coded IP blacklist, on Telnet TCP ports 23 and 2323”. If an IoT device responds to the probe, the attack then enters into a brute-force login phase. During this phase, the attacker tries to establish a Telnet connection using predetermined username and password pairs from a list of credentials. Most of these logins are default usernames and passwords from the IoT vendor. If the IoT device allows the Telnet access, the victim's IP, along with the successfully used credential is sent to a collection server.
There are hundreds of thousands of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack.
The "Lelddos Gang"
A group that was very active in 2014, known for their constant attack on Minecraft web servers using ancestors of the Mirai worm. Often Minecraft servers would be attacked by this gane forcing server owners to pay out large balances in order to prevent future DDoS attacks. It is believed that lelddos was the alias for the group who created and weaponized the Mirai worm. The alternative that was readily available to Minecraft server owners was to use the services of ProTraf Solutions, which is also believed to be the security company owned by the Lelddos gang. Paras Jha, President of ProTraf Solutions, is also believed to go by the online alias, Anna-Senpai, who is the author and in charge of the Mirai worm.
According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.