Mirai first made rounds during August 2016. However, it remained largely unknown at
that time. The botnet originated from the infections coming out via a bulletproof hostingIP.
Afterward, the botnet distributed itself extremely fast. It was estimated that after each
76minutes time interval, the number of its victims doubled at that time. Unsurprisingly, by the
end of its first day in action, the botnet had a tally of 65,000 victims in the form of IoT devices.
A month later, in mid-September, the malware shot to the limelight. At that time,
cybercriminals utilized DDoS attacks in order to target Krebs on Security, a popular blog
which was authored by a leading cybersecurity journalist while its website was managed by
OVH, one of the biggest names in the website hosting world. By attacking the major names
in the cybersecurity and website hosting world, Mirai became infamous as one of the biggest
IoT cyberthreats. According to studies, the botnet mostly targeted cameras and routers in the
IoTecosystem.
How Does Mirai Work?
Mirai is inherently based on a computer worm, a
self-propagated one. It is a dangerous program which
has the capability of replication that is, generate its
copies and spread them so it can search for victims,
target them, and infiltrate into their IoT systems. It is
referred to as a botnet because all the infected devices
are controlled by the C2 server. The servers then
exploit the hacked IoT devices to choose their next
target. The Mirai botnet is divided into two primary
modules. These are listed below.
Replication Module
The replication module is tasked to increase the
size of the botnet. It accomplishes this function by
making as many hostages as possible and looks for
vulnerabilities and openings in the IoT devices. To do
this, it first starts to scan the complete internet so it
can find lucrative targets. Once a target is identified,
it begins to attack it. When the attack is successful, it
communicates the success to the C2 server where the
cybercriminals behind the botnet unleash its payload.
In order to break into IoT devices, initially, Mirai
used to rely on a group of 64 common IoT combi-
nations of ID/passwords. Though this initial attack
did not seem too sophisticated, but it managed to
become highly successful which led to the hack of
more than 600,000 IoT devices.
Attack Module
The attack module in the Mirai botnet is tasked to run DDoS campaigns in order to compromise
IoT devices. These targets are supplied by the C2 servers. The module carries out the common
DDoS tactics like UDP flooding, TCP flooding, HTTP flooding, and other attack strategies.
As a result, this range facilitated the Mirai botnet in employing TCP state-exhaustion attacks,
application-layer attacks, and volumetric attacks.
Mirai
Botmaster
C&C
Server
Enslaved IoT Device
Victim Site
276 Internet of Things
Internet_of_Things_CH11_pp271-308.indd 276 9/3/2019 10:16:19 AM
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.