Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Mirai Botnet Infects Devices in 164 Countries

Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.

Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.

In early October, Mirai’s developer released the malware’s source code and also revealed that there were over 300,000 devices infected with it. Soon after, as the botnet was increasingly used in DDoS attacks, Flashpoint security researchers determined that over half a million IoT devices worldwide were vulnerable to Mirai, because they were protected by weak security credentials.

According to Imperva researchers, the investigation of an attack carried out in August has revealed around 49,657 unique IPs hosting Mirai-infected devices, mostly CCTV cameras, already proven popular targets for IoT botnets.

These IP addresses, researchers say, are located in 164 countries, with Vietnam taking the top spot at 12.8%, followed by Brazil at 11.8%, the United States at 10.9%, China at 8.8%, and Mexico at 8.4%. South Korea, Taiwan, Russia, Romania and Colombia are rounding up top ten most affected countries. Remote locations such as Montenegro, Tajikistan and Somalia were also among the affected countries.

Imperva also notes that a few new Mirai-powered attacks were seen after the source code emerged online, though they were low-volume application layer HTTP floods. These used a small number of source IPs, and the security researchers suggest that they might be mere experimental first steps of new Mirai users.

The researchers also note that the botnet’s command and control (C&C) code is coded in Go, while the bots are coded in C. Code analysis also revealed that the botnet was built for two main purposes: find and compromise devices to increase the botnet’s footprint, and launch DDoS attacks based on received instructions.

As previously revealed, Mirai performs wide-ranging scans of IP addresses to locate under-secured IoT devices and access them via easily guessable login credentials. The scanning is performed against destination ports TCP/23 and TCP/2323, and Arbor Networks researchers note that prevention is possible by shielding access to these ports.

According to Symantec, the botnet has been configured to use a dictionary of at least 62 user name and password combinations, most of which are commonly used default credentials for IoT devices. The security firm also notes that, while infected devices can be cleaned with a simple restart, the constant scanning performed by the botnet means that they are re-infected in a matter of minutes after coming back online.

The malware is able to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks, including GRE IP and GRE ETH floods, SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods, and UDP flood attacks.

Mirai was found to include a list of IPs that bots should avoid scanning: the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric. While also able to bypass security solutions, the botnet contains scripts to eradicate other worms and Trojans, and to prohibit remote connection attempts to the hijacked device.

The developer of this botnet is believed to be Russian, based on some of the comments found in the code. However, Arbor researchers believe that there are multiple threat actor groups actively working to expand and improve the DDoS attack capabilities of Mirai. What’s more, the security researchers discovered alterations in the DDoS attack capabilities of at least one Mirai-derived botnet.

To protect devices from Mirai and similar botnets, users are advised not only to shield TCP/23 and TCP/2323 access to the devices, but also to disable all remote (WAN) access to them. An essential step to secure vulnerable devices, however, is to change the default username and password.

“The potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant, depending upon the target selection and efficacy of a given attack. Outbound/crossbound DDoS attacks launched by Mirai bots can cause significant network performance issues or outages for broadband access network operators. Threat actors may significantly increase the rate of scanning for vulnerable systems, which could lead to an inadvertent DDoS attack on scanned/scanning systems and networks,” Arbor Networks researchers note.

Earlier this week, researchers at Corero Network Security warned of a new zero-day DDoS attack vector leveraging the Lightweight Directory Access Protocol (LDAP) protocol, which could result in terabit-scale DDoS events if combined with the power of IoT botnets such as Mirai. The attack has been already used in small but powerful incidents, the researchers said.

Related: Sierra Wireless Rugged Gateways Targeted by Mirai Malware

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.