Connect with us

Hi, what are you looking for?



Mirai Switches to Tor Domains to Improve Resilience

Mirai, the distributed denial of service (DDoS) botnet that leverages the power of Internet of Things (IoT) devices, is improving resilience by switching to .Onion domains, after briefly flirting with its own Domain Generation Algorithm (DGA).

Mirai, the distributed denial of service (DDoS) botnet that leverages the power of Internet of Things (IoT) devices, is improving resilience by switching to .Onion domains, after briefly flirting with its own Domain Generation Algorithm (DGA).

The DGA functionality in Mirai was detailed about a week ago, but security researchers say that the botnet had been using it for a very short period of time. The DGA feature was associated with Mirai Botnet #14, which reportedly had over 3 million ensnared devices at the end of November.

In late November, a Mirai variant managed to hijack 900,000 routers from German ISP Deutsche Telekom using port 7547. Soon after, the same malware attack was confirmed to have also hit around 100,000 UK TalkTalk and Post Office ISP users. The attacks were revealed to leverage the TR-064 vulnerability, which can be used to steal WiFi network keys in addition to recruiting the router into a botnet.

Researchers with the China-based Network Security Research Lab at Qihoo 360, who managed to crack the Mirai DGA, said last week that multiple Mirai samples were using the functionality, and that they were leveraging three different top-level domains (TLDs) for that.

In a new post, the security researchers reveal that newly observed Mirai samples dropped the initial seed series and adopted a new one. Thus, new domains that matched the Mirai DGA algorithm but no longer featured the previous seed series were detected.

The new domains were said to belong to new Mirai variants, because layer 2 (L2) domain had the same 12-character length, a-y only, and because all TLDs for these domains were fixed to .online, one of the TLDs observed in the previous samples. What’s more, the botnet operators exercised a strict time control over the domains creation, to ensure that the overlap window was very short.

The researchers managed to brute-force the new DGA as well, and they even provided a list of the domains the Mirai samples will supposedly use before the end of the year. However, they also noted that at least one of the already generated domains wasn’t registered.

According to a report from BleepingComputer, however, there’s a clear explanation on why that happened: Mirai is moving to Tor (The Onion Router) domains, because they are far more difficult to shut down. The information reportedly comes from the individual who manages Mirai Botnet #14, and who goes by the online handle of BestBuy.

Advertisement. Scroll to continue reading.

The hacker confirmed that the DGA functionality was used for a short period of time in early December, but that it has been already dropped. There was no authentication used with the temporary feature, which resulted in it being replaced with something better: a Tor variant.

Many cybercriminals are abusing the Tor network for their nefarious purposes, mainly because it offers an increased level of anonymity and makes it far more difficult for authorities to find servers hidden in the network. Mirai isn’t the first botnet to leverage Tor for communication purposes, as others have been doing so for years.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: Mirai Botnet Infects Devices in 164 Countries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


A new study by McAfee and the Center for Strategic and International Studies (CSIS) named a staggering figure as the true annual cost of...