Connect with us

Hi, what are you looking for?



Mirai Switches to Tor Domains to Improve Resilience

Mirai, the distributed denial of service (DDoS) botnet that leverages the power of Internet of Things (IoT) devices, is improving resilience by switching to .Onion domains, after briefly flirting with its own Domain Generation Algorithm (DGA).

Mirai, the distributed denial of service (DDoS) botnet that leverages the power of Internet of Things (IoT) devices, is improving resilience by switching to .Onion domains, after briefly flirting with its own Domain Generation Algorithm (DGA).

The DGA functionality in Mirai was detailed about a week ago, but security researchers say that the botnet had been using it for a very short period of time. The DGA feature was associated with Mirai Botnet #14, which reportedly had over 3 million ensnared devices at the end of November.

In late November, a Mirai variant managed to hijack 900,000 routers from German ISP Deutsche Telekom using port 7547. Soon after, the same malware attack was confirmed to have also hit around 100,000 UK TalkTalk and Post Office ISP users. The attacks were revealed to leverage the TR-064 vulnerability, which can be used to steal WiFi network keys in addition to recruiting the router into a botnet.

Researchers with the China-based Network Security Research Lab at Qihoo 360, who managed to crack the Mirai DGA, said last week that multiple Mirai samples were using the functionality, and that they were leveraging three different top-level domains (TLDs) for that.

In a new post, the security researchers reveal that newly observed Mirai samples dropped the initial seed series and adopted a new one. Thus, new domains that matched the Mirai DGA algorithm but no longer featured the previous seed series were detected.

The new domains were said to belong to new Mirai variants, because layer 2 (L2) domain had the same 12-character length, a-y only, and because all TLDs for these domains were fixed to .online, one of the TLDs observed in the previous samples. What’s more, the botnet operators exercised a strict time control over the domains creation, to ensure that the overlap window was very short.

The researchers managed to brute-force the new DGA as well, and they even provided a list of the domains the Mirai samples will supposedly use before the end of the year. However, they also noted that at least one of the already generated domains wasn’t registered.

Advertisement. Scroll to continue reading.

According to a report from BleepingComputer, however, there’s a clear explanation on why that happened: Mirai is moving to Tor (The Onion Router) domains, because they are far more difficult to shut down. The information reportedly comes from the individual who manages Mirai Botnet #14, and who goes by the online handle of BestBuy.

The hacker confirmed that the DGA functionality was used for a short period of time in early December, but that it has been already dropped. There was no authentication used with the temporary feature, which resulted in it being replaced with something better: a Tor variant.

Many cybercriminals are abusing the Tor network for their nefarious purposes, mainly because it offers an increased level of anonymity and makes it far more difficult for authorities to find servers hidden in the network. Mirai isn’t the first botnet to leverage Tor for communication purposes, as others have been doing so for years.

Related: Mirai-Based Worm Targets Devices via New Attack Vector

Related: Mirai Botnet Infects Devices in 164 Countries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...