Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Mirai Botnet Infects Devices in 164 Countries

Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.

Mirai, the infamous botnet used in the recent massive distributed denial of service (DDoS) attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure, has ensnared Internet of Things (IoT) devices in 164 countries, researchers say.

In early October, Mirai’s developer released the malware’s source code and also revealed that there were over 300,000 devices infected with it. Soon after, as the botnet was increasingly used in DDoS attacks, Flashpoint security researchers determined that over half a million IoT devices worldwide were vulnerable to Mirai, because they were protected by weak security credentials.

According to Imperva researchers, the investigation of an attack carried out in August has revealed around 49,657 unique IPs hosting Mirai-infected devices, mostly CCTV cameras, already proven popular targets for IoT botnets.

These IP addresses, researchers say, are located in 164 countries, with Vietnam taking the top spot at 12.8%, followed by Brazil at 11.8%, the United States at 10.9%, China at 8.8%, and Mexico at 8.4%. South Korea, Taiwan, Russia, Romania and Colombia are rounding up top ten most affected countries. Remote locations such as Montenegro, Tajikistan and Somalia were also among the affected countries.

Imperva also notes that a few new Mirai-powered attacks were seen after the source code emerged online, though they were low-volume application layer HTTP floods. These used a small number of source IPs, and the security researchers suggest that they might be mere experimental first steps of new Mirai users.

The researchers also note that the botnet’s command and control (C&C) code is coded in Go, while the bots are coded in C. Code analysis also revealed that the botnet was built for two main purposes: find and compromise devices to increase the botnet’s footprint, and launch DDoS attacks based on received instructions.

As previously revealed, Mirai performs wide-ranging scans of IP addresses to locate under-secured IoT devices and access them via easily guessable login credentials. The scanning is performed against destination ports TCP/23 and TCP/2323, and Arbor Networks researchers note that prevention is possible by shielding access to these ports.

According to Symantec, the botnet has been configured to use a dictionary of at least 62 user name and password combinations, most of which are commonly used default credentials for IoT devices. The security firm also notes that, while infected devices can be cleaned with a simple restart, the constant scanning performed by the botnet means that they are re-infected in a matter of minutes after coming back online.

The malware is able to launch HTTP floods and various network (OSI layer 3-4) DDoS attacks, including GRE IP and GRE ETH floods, SYN and ACK floods, STOMP (Simple Text Oriented Message Protocol) floods, DNS floods, and UDP flood attacks.

Mirai was found to include a list of IPs that bots should avoid scanning: the US Postal Service, the Department of Defense, the Internet Assigned Numbers Authority (IANA) and IP ranges belonging to Hewlett-Packard and General Electric. While also able to bypass security solutions, the botnet contains scripts to eradicate other worms and Trojans, and to prohibit remote connection attempts to the hijacked device.

The developer of this botnet is believed to be Russian, based on some of the comments found in the code. However, Arbor researchers believe that there are multiple threat actor groups actively working to expand and improve the DDoS attack capabilities of Mirai. What’s more, the security researchers discovered alterations in the DDoS attack capabilities of at least one Mirai-derived botnet.

To protect devices from Mirai and similar botnets, users are advised not only to shield TCP/23 and TCP/2323 access to the devices, but also to disable all remote (WAN) access to them. An essential step to secure vulnerable devices, however, is to change the default username and password.

“The potential collateral impact of DDoS attacks launched by the Mirai botnet can be highly significant, depending upon the target selection and efficacy of a given attack. Outbound/crossbound DDoS attacks launched by Mirai bots can cause significant network performance issues or outages for broadband access network operators. Threat actors may significantly increase the rate of scanning for vulnerable systems, which could lead to an inadvertent DDoS attack on scanned/scanning systems and networks,” Arbor Networks researchers note.

Earlier this week, researchers at Corero Network Security warned of a new zero-day DDoS attack vector leveraging the Lightweight Directory Access Protocol (LDAP) protocol, which could result in terabit-scale DDoS events if combined with the power of IoT botnets such as Mirai. The attack has been already used in small but powerful incidents, the researchers said.

Related: Sierra Wireless Rugged Gateways Targeted by Mirai Malware

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: IoT Worm “Hajime” Uses BitTorrent Protocols for Communications

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...