Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Hacker Releases Source Code of IoT Malware Mirai

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A hacker has released the source code of Mirai, the Internet of Things (IoT) malware used to launch massive distributed denial-of-service (DDoS) attacks against the websites of journalist Brian Krebs and hosting provider OVH.

A copy of the source code files provided to SecurityWeek includes a “readme” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

“When I first go in DDoS industry, I wasn’t planning on staying in it long,” the hacker said. “I made my money, there’s lots of eyes looking at IOT now, so it’s time to GTFO. However, I know every skid and their mama, it’s their wet dream to have something besides qbot.”

The hacker claimed his botnet had ensnared up to 380,000 bots via telnet attacks alone, but ISPs allegedly started cleaning up their act following the DDoS attacks aimed at Krebs’ website. He says the number of bots has dropped to roughly 300,000 and continues to decrease.

The leaked files include source code for the bot, command and control (C&C) servers, and tools. The author of Mirai says he is willing to answer specific questions about setting up the botnet, but he is determined not to waste any time teaching wannabe cybercriminals or answering vague questions.

Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

One of the first groups to analyze this threat was Malware Must Die, although the author of Mirai said the analysis was inaccurate. Researchers from Russian antivirus firm Dr. Web reported last week that they had seen newer versions of the Trojan in September. The company has published a 56-page report describing the malware, which it detects as Linux.Mirai.

The attack that hit Brian Krebs’ website peaked at over 600 Gbps, while the simultaneous attacks aimed at hosting provider OVH exceeded 1 Tbps. Octave Klaba, the founder and CTO of OVH, said the botnet was powered by more than 150,000 IoT devices, including cameras and DVRs, capable of launching attacks of over 1.5 Tbps.

The attack targeted at Krebs was launched after the journalist published a blog post exposing the alleged operators of a booter service called vDOS, which led to the arrests of two Israeli nationals. The “readme” file published by the author of Mirai is signed with “FREEAPPLEJ4CK” – AppleJ4ck is the online moniker used by one of the vDOS operators.

Now that Mirai’s source code has been made available, the malware will likely be abused by many cybercriminals, similar to the case of BASHLITE, whose source code was leaked in early 2015. In late August, Level 3 Communications and Flashpoint reported that BASHLITE DDoS botnets had ensnared roughly one million IoT devices.

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Botnet Targets Olympics in 540Gbps DDoS Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.