Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hacker Releases Source Code of IoT Malware Mirai

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A copy of the source code files provided to SecurityWeek includes a “readme” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” the hacker said. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.”

The hacker claimed his botnet had ensnared up to 380,000 bots via telnet attacks alone, but ISPs allegedly started cleaning up their act following the DDoS attacks aimed at Krebs’ website. He says the number of bots has dropped to roughly 300,000 and continues to decrease.

The leaked files include source code for the bot, command and control (C&C) servers, and tools. The author of Mirai says he is willing to answer specific questions about setting up the botnet, but he is determined not to waste any time teaching wannabe cybercriminals or answering vague questions.

Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

One of the first groups to analyze this threat was Malware Must Die, although the author of Mirai said the analysis was inaccurate. Researchers from Russian antivirus firm Dr. Web reported last week that they had seen newer versions of the Trojan in September. The company has published a 56-page report describing the malware, which it detects as Linux.Mirai.

The attack that hit Brian Krebs’ website peaked at over 600 Gbps, while the simultaneous attacks aimed at hosting provider OVH exceeded 1 Tbps. Octave Klaba, the founder and CTO of OVH, said the botnet was powered by more than 150,000 IoT devices, including cameras and DVRs, capable of launching attacks of over 1.5 Tbps.

The attack targeted at Krebs was launched after the journalist published a blog post exposing the alleged operators of a booter service called vDOS, which led to the arrests of two Israeli nationals. The “readme” file published by the author of Mirai is signed with “FREEAPPLEJ4CK” – AppleJ4ck is the online moniker used by one of the vDOS operators.

Now that Mirai’s source code has been made available, the malware will likely be abused by many cybercriminals, similar to the case of BASHLITE, whose source code was leaked in early 2015. In late August, Level 3 Communications and Flashpoint reported that BASHLITE DDoS botnets had ensnared roughly one million IoT devices.

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.