Mirai, Mirai, pwn them all, who's the greatest botnet on the whole?

Variants on zombie horde that took down Dyn still at large


The Mirai botnet is alive and kicking more than a year after its involvement in a DDoS attack that left many of the world's biggest websites unreachable.

DNS provider Dyn reckons about 100,000 Mirai-infected gadgets knocked it out back in October 2016. A study by security ratings firm SecurityScorecard, out Tuesday, found that even a year after its initial release, Mirai botnet infections are still widespread.

From July to September 2017, SecurityScorecard identified 34,062 IPv4 addresses on the public internet that showed symptoms expected from an embedded device infected with the Mirai IoT malware. This contrasts with 184,258 IPv4 addresses of IoT devices infected with Mirai IoT malware from August 1, 2016, to July 31, 2017.

Even though the botnet is smaller and more fragmented, it still poses a threat to internet hygiene.

Other security experts back this assessment. The decline in numbers of the Mirai zombie horde may have nothing to do with improved IoT security, such as users patching the DVR devices and the like that are most susceptible to infection.

Ken Munro, of UK security consultancy Pen Test Partners, said: "We believe the main reason that the botnets are small is that Mirai is not persistent. The infection does not survive a reboot. Mirai attacks XiongMai-based DVRs, which are pretty unstable – indeed, it's trivial to reboot them remotely, unauthenticated.

"As a result, no single botnet herder can create a single large botnet – the DVRs reboot randomly and there's then a race to pwn then again."

Other more recent IoT botnets – most notably Reaper – represent a worse risk to security, according to Munro.

The attack on Dyn was preceded by one on infosec sleuth Brian Krebs' website and followed by DDoS attacks using Mirai variants on the routers of Deutsche Telekom and TalkTalk. All of this malfeasance took place last year. Quite why we've not seen a continuation of high-profile DDoS attacks that use IoT devices as a platform is something of a head-scratcher, not least because the potential for harm is undiminished.

For example, last month security researchers Troy Mursch and Dr Neal Krawetz uncovered a Mirai-like botnet made up of EnGenius routers. Mursch told El Reg that he's seen 90,000 drones in the network since February.

Mirai source code leaked in early October 2016, three weeks or so before the Dyn DDoS spectacular. This has opened up the door to copycat botnet cultivation.

What's the sitch?

SecurityScorecard's Mirai sitrep provides a contemporary analysis of the devices infected with the IoT malware.

The education sector was the industry most affected by Mirai variants during Q3 of 2017, ahead of energy, manufacturing, entertainment, and financial services, according to figures from SecurityScorecard.

mirai pie chart

Mirai spread by industry sector pie chart [source: SecurityScorecard]

The most affected country for Mirai activity in Q3 of 2017 is Mexico, ahead of China, the US, Brazil and Turkey.

mirai map

Geographical map of spread of the Mirai botnet

The prevalence of Mirai infections in Mexico is likely a byproduct of efforts to roll out IoT systems, such as the recent availability of a regional dedicated communications service specifically geared towards the Internet of Things. ®

Similar topics

Broader topics


Other stories you might like

  • North Korea pulled in $400m in cryptocurrency heists last year – report

    Plus: FIFA 22 players lose their identity and Texas gets phony QR codes

    In brief Thieves operating for the North Korean government made off with almost $400m in digicash last year in a concerted attack to steal and launder as much currency as they could.

    A report from blockchain biz Chainalysis found that attackers were going after investment houses and currency exchanges in a bid to purloin funds and send them back to the Glorious Leader's coffers. They then use mixing software to make masses of micropayments to new wallets, before consolidating them all again into a new account and moving the funds.

    Bitcoin used to be a top target but Ether is now the most stolen currency, say the researchers, accounting for 58 per cent of the funds filched. Bitcoin accounted for just 20 per cent, a fall of more than 50 per cent since 2019 - although part of the reason might be that they are now so valuable people are taking more care with them.

    Continue reading
  • Tesla Full Self-Driving videos prompt California's DMV to rethink policy on accidents

    Plus: AI systems can identify different chess players by their moves and more

    In brief California’s Department of Motor Vehicles said it’s “revisiting” its opinion of whether Tesla’s so-called Full Self-Driving feature needs more oversight after a series of videos demonstrate how the technology can be dangerous.

    “Recent software updates, videos showing dangerous use of that technology, open investigations by the National Highway Traffic Safety Administration, and the opinions of other experts in this space,” have made the DMV think twice about Tesla, according to a letter sent to California’s Senator Lena Gonzalez (D-Long Beach), chair of the Senate’s transportation committee, and first reported by the LA Times.

    Tesla isn’t required to report the number of crashes to California’s DMV unlike other self-driving car companies like Waymo or Cruise because it operates at lower levels of autonomy and requires human supervision. But that may change after videos like drivers having to take over to avoid accidentally swerving into pedestrians crossing the road or failing to detect a truck in the middle of the road continue circulating.

    Continue reading
  • Alien life on Super-Earth can survive longer than us due to long-lasting protection from cosmic rays

    Laser experiments show their magnetic fields shielding their surfaces from radiation last longer

    Life on Super-Earths may have more time to develop and evolve, thanks to their long-lasting magnetic fields protecting them against harmful cosmic rays, according to new research published in Science.

    Space is a hazardous environment. Streams of charged particles traveling at very close to the speed of light, ejected from stars and distant galaxies, bombard planets. The intense radiation can strip atmospheres and cause oceans on planetary surfaces to dry up over time, leaving them arid and incapable of supporting habitable life. Cosmic rays, however, are deflected away from Earth, however, since it’s shielded by its magnetic field.

    Now, a team of researchers led by the Lawrence Livermore National Laboratory (LLNL) believe that Super-Earths - planets that are more massive than Earth but less than Neptune - may have magnetic fields too. Their defensive bubbles, in fact, are estimated to stay intact for longer than the one around Earth, meaning life on their surfaces will have more time to develop and survive.

    Continue reading

Biting the hand that feeds IT © 1998–2022