Mirai Botnet

Man

Professional
Messages
3,225
Reaction score
1,053
Points
113
In September 2016, the creators of the Mirai botnet launched a large-scale DDoS attack on the website of renowned journalist and cybersecurity expert Brian Krebs. A week later, they published the source code of the malware. It is quite possible that this was done to hide the origin of the attack. The code quickly spread among cybercriminals and was reproduced in other variations.

It is believed that this malware is behind a large-scale attack that temporarily blocked the work of the hosting provider and domain registrar Dyn in October 2016. To do this, the Mirai botnet used 100,000 hacked IoT devices.

NameMirai
StatusSemi-active
DescriptionMalware used to perform DDoS attacks. Infects smart devices (IoT)

Contents
1. What is Mirai
2. Operating principle
3. Who created the Mirai botnet
4. Damage from DDoS attacks
5. What is the connection between Mirai and click fraud?
6. Why does Mirai malware remain dangerous?
7. How to protect advertising from botnet attacks

What is Mirai​

Mirai is a malware that infects IoT devices (smart home appliances with internet access) running on ARC processors and turns them into a network of remotely controlled bots, also called "zombies". This botnet is often used to launch DDoS attacks.

Operating principle​

Mirai searches for Internet-connected IoT devices running on an ARC processor. Moreover, the processors that are targeted are those running a stripped-down version of the Linux OS. The malware hacks access by selecting the default username and password (if they have not been changed).

IoT (short for Internet of Things) is a term used to describe smart devices that can connect to the internet. These devices can include baby monitors, switches, kettles, boilers, vacuum cleaners, medical devices, routers, video recorders, surveillance cameras, smoke detectors, etc.

Who created the Mirai botnet?​

Paras Jha, 21, and Josiah White, 20, founded Protraf Solutions, a company that offered DDoS mitigation services. It was a classic case of scamming: their company was offering DDoS protection services to the very organizations that were being attacked by the botnet they had created.

Damage from DDoS attacks​

The first large-scale Mirai botnet attack was in September 2016 against the French tech company OVH. It reached an unprecedented speed of 1 Tbps and was estimated to involve around 145,000 IoT devices. This gives an idea of how large this botnet is. The second largest attack peaked at 400 Gbps.

Following the OVH attack, Krebs on Security, a website owned by journalist Brian Krebs, was hit by a bot influx of over 600 Gbps in late September 2016. Krebs was likely targeted because of his line of investigative journalism. His focus was on cybersecurity crimes, making him a threat to the authors of an organized bot attack.

On September 30, 2017, one of the botnet's authors decided to post the source code on a popular hacker forum, simultaneously announcing his intended retirement from hacking. There are several possible reasons why the author decided to disclose the malware's code: the most likely is the desire to hide his identity and avoid being accused of committing crimes.

Soon after the source code was published, other attackers began using the Mirai botnet for their own malicious and fraudulent purposes. Due to the mass scale of these attacks, it was no longer possible to attribute them to any specific person or group. It became more difficult to identify the malware, and the publication of the code increased the number of DDoS attacks carried out.

After that, other cybercriminals began to develop and improve the botnet, introducing new functional capabilities. For example, modules were added that allow increasing the number of smart device infections or increasing the speed of infection.

In addition, new Mirai satellites have been created, such as Okiru, Satori, Masuta, and PureMasuta. The success of this botnet depends on the vulnerabilities and security posture of IoT products and technologies. Devices built for convenience rather than security complicate efforts to counter the Mirai malware family.

What is the connection between Mirai and click fraud?​

Pay-per-click (PPC and CPC) advertising is a form of online advertising in which a company pays a website to display its ads. The amount of payment depends on the number of clicks on the advertiser's website from the link provided in the ad.

Fraudulent manipulation of price-per-click data is called click fraud. Ads are clicked manually (by deceiving real users and using various fraudulent schemes) and with the help of automated software or bots. Thanks to such fraudulent actions, the site owner can receive significant profits, and the advertiser can lose advertising budget on paying for "dummy" ads.

The Mirai developers were convicted specifically for renting out their botnet for DDoS attacks and click fraud.

Why does Mirai malware remain dangerous?​

Mirai is mutating. And despite the fact that its creators were found and convicted, the malware’s source code lives on and takes on new forms. For example, PureMasuta can exploit the HNAP bug in D-Link devices. OMG, another of its satellites, turns IoT devices into proxy servers that allow cybercriminals to remain anonymous.

And recently another fairly powerful botnet was discovered, which received various nicknames - IoTrooper and Reaper. It is capable of hacking IoT devices much faster than Mirai. Reaper can infect devices running on more than just ARC processors, and also has greater control over its bots.

How to Protect Your Ads from Botnet Attacks​

The public and large corporations are fighting against fraudsters. Special protection services are being developed to block malicious bots that click on ads. One of these is Botfaqtor.

A comprehensive cybersecurity system is an effective automated way to block bots and clickers, which not only saves your budget, but also allows you to reduce the cost per click.

Find out who actually clicks on your ads, get a report on the quality of traffic and the sites where the ads are placed. The service is available to protect advertising campaigns in Yandex Direct and Google Ads.
 
Top