Investigating Mirai: Inside the Malware That Powers IoT Botnets

In early October 2016, the source code for a specific Internet of Things (IoT) malware was released on a hacking community called “Hackforums.” The malicious item, now known as Mirai, was posted by a user named Anna-Senpai, who claimed a botnet was used to prey on hundreds of thousands of IoT devices daily.

We now know this was the distributed denial of service (DDoS) attack vector used by threat actors on Oct. 21 to take down DNS provider Dyn. The attack single-handedly disrupted global Internet services, including many of Dyn’s top consumer application services customers, such as Spotify, Reddit and Github.

“It was an interesting point to see the bad guys are moving upstream for DDoS attacks on the DNS providers, instead of just against sites or applications,” A10 Networks Director of Cyber Operations Dr. Chase Cunningham told Computer Weekly.

How Mirai Works

Mirai’s power stems from its ability to spread itself to other connected IoT devices. It scans the Internet for IoT devices and systems that are protected by hard-coded usernames and passwords and other factory defaults (as is the case in many IoT systems that are already installed).

Because Mirai knows these default passwords, the Mirai botnet can command any number of devices, such as routers, webcams, DVRs, IP cameras, thermostats, and other Internet-connected devices. The result is a powerful global botnet that can launch large-scale DDoS attacks against any type of service, application, site or organization.

Mirai: A Forensic Analysis

To shed light on this new attack vector, the A10 Networks security team investigated Mirai and conducted forensic analysis on the malware.

At a basic level, Mirai consists of a suite of various attacks that target lower-layer Internet protocols and select Internet applications. To date, A10 has uncovered nine specific attack vectors that Mirai targets during an attack.

Get the Full Report

Download the in-depth analysis that breaks down the specific attack vectors used by Mirai-powered botnets.


Alarmingly, hackers, criminal groups or threat actors just need a scanner and they can jump into the cybercrime arena of DDoS bot-herding. Because of the nature of this type of attack — and the ease with which it can be launched — we will continue to see these types of attacks in the near future. Combined with a ransom-type activity, an IoT-based botnet could easily power a dangerous money-making machine.

To learn more about the Mirai malware, download the complimentary report, “Investigating Mirai: A Detailed Analysis of the Malware Responsible for Global IoT Botnets and Massive DDoS Attacks.”


November 8, 2016

About Geoff Blaine

A 10-year veteran of the security space, Geoff serves as A10's senior communications writer and content manager. He brings a blend of real-world journalism experience, cybersecurity perspective and mainstream tech interest. READ MORE