LLMpediaThe first transparent, open encyclopedia generated by LLMs

Mirai (malware)

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Dyn (company) Hop 4
Expansion Funnel Raw 81 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted81
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
Mirai (malware)
NameMirai
CaptionIoT malware botnet architecture diagram
AuthorsParas Jha, Josiah White, Dalton Norman
Released2016
GenreBotnet malware
Operating systemEmbedded Linux (BusyBox), ARM, MIPS, SH4
LicenseProprietary (malicious)

Mirai (malware) is a botnet malware that infected Internet of Things devices to launch distributed denial-of-service attacks in 2016 and thereafter. It leveraged default credentials on embedded devices to create large-scale botnets that disrupted access to high-profile targets across the United States, Europe, and Asia. Researchers from multiple cybersecurity firms and academic institutions analyzed its code and behavior, linking infections to major outages affecting DNS, media, and telecommunications services.

Overview

Mirai emerged in 2016 after earlier IoT incidents tied to compromised routers and cameras; analysts from Krebs on Security, Arbor Networks, Akamai Technologies, Team Cymru, and Flashpoint provided early public incident reports. The initial publicized attack on Brian Krebs's website triggered investigations involving the Federal Bureau of Investigation, Department of Homeland Security, and private sector responders including Cloudflare, Dyn, Google Project Shield, and Verisign. Coverage by outlets such as The New York Times, Wired, The Guardian, and The Washington Post amplified attention from policymakers in the United States Congress, the European Commission, and regulators in Japan and Australia. Academic analysis appeared in conferences like Black Hat USA, DEF CON, IEEE S&P, and journals associated with USENIX and ACM.

Technical architecture and operation

Mirai's architecture combined a loader, a scanner, and a command-and-control subsystem coordinated by hardened servers often hidden behind proxies and Tor-like networks. Researchers from Mandiant, Symantec, Trend Micro, ESET, and Bitdefender dissected binaries compiled for ARM, MIPS, and SuperH CPU families used in consumer devices from vendors such as D-Link, Netgear, TP-Link, Huawei, and ZTE. The malware performed brute-force login attempts against default credentials cataloged from manuals and vendor support pages; analysts at SANS Institute, CERT/CC, ENISA, and NIST documented credential lists and mitigation advisories. Mirai implemented simple C2 protocols and used IP scanning, Telnet, and SSH services to propagate; behavioral signatures were cataloged by Malwarebytes, Cisco Talos, CrowdStrike, FireEye, and Palo Alto Networks for network detection systems and intrusion prevention appliances.

Infections and notable attacks

Large-scale infections powered attacks against high-profile targets: the October 2016 attack on Dyn disrupted service for Twitter, Spotify, PayPal, Airbnb, Reddit, GitHub, and numerous news outlets, prompting emergency response from hosting providers including Akamai, Amazon Web Services, Microsoft Azure, and Google Cloud Platform. Earlier incidents included attacks on Brian Krebs and disruptions to hosting for OVH customers in France. Subsequent campaigns exploited Mirai-derived variants to target elections infrastructure in Ukraine, telecommunications providers in Liberia, and gaming networks for Sony PlayStation Network and Microsoft Xbox Live. Law enforcement and industry reports highlighted collateral impact on ISPs such as Comcast and Verizon, content delivery networks like Cloudflare and Fastly, and registries such as ICANN partners.

Attribution and variants

Investigations by Akami, Flashpoint, and independent researchers correlated command-and-control infrastructure and code artifacts to operators including Paras Jha, Josiah White, and Dalton Norman; legal prosecutions involved the United States Department of Justice and federal courts in New Jersey. Mirai spawned numerous variants—often named by vendor researchers at Check Point, Kaspersky Lab, F-Secure, Sophos, and Trend Micro—including evolutions that added exploits for CVEs, peer-to-peer architectures, and modular plugins. Nation-state actors and cybercrime groups repurposed Mirai code for botnet-for-hire services, ransomware distribution, and espionage support; threat intelligence firms such as Recorded Future, CrowdStrike, and Mandiant tracked attribution to organized cybercriminal groups across Eastern Europe, Southeast Asia, and North America.

Detection, mitigation, and defenses

Detection approaches recommended by NIST, ENISA, and CERT/CC combined network telemetry, honeypots, and signature/behavioral detection used by vendors like Cisco Umbrella, Palo Alto Networks WildFire, Fortinet FortiGuard, Juniper Networks, and Arista Networks. Mitigations included vendor firmware updates from Netgear, D-Link, TP-Link, and Linksys, guidance for device manufacturers from ETSI and IEEE, and coordinated disclosure processes promoted by US-CERT and the International Telecommunication Union. Research prototypes at MIT CSAIL, UC Berkeley CITRIS, CMU CERT, and Georgia Tech explored automated patching, secure boot, and hardware-based attestation to prevent reinfection. ISPs and cloud providers employed traffic scrubbing via Akamai, Radware, Prolexic, and Cloudflare while lawmakers debated minimum security standards influenced by policy bodies NIST Cybersecurity Framework and legislative proposals in the United States Congress and the European Parliament.

Criminal charges were filed by the United States Attorney's Office and prosecutions concluded with plea agreements and sentences, while civil litigation involved plaintiffs including hosting providers and media organizations. Industry coalitions—such as the IoT Security Foundation, FIDO Alliance, GSMA, Cloud Security Alliance, and Internet Society—developed best practices for device lifecycle security, supply chain audits, and vulnerability disclosure policies. Standards bodies including IETF, IEEE-SA, and ETSI advanced specifications for secure device onboarding and remote management. Major vendors and service providers implemented password policies, two-factor authentication, and centralized update services in response to the Mirai incidents; regulatory responses influenced consumer product labeling and procurement rules in jurisdictions like California and the United Kingdom.

Category:Computer security