Timeline of Mirai: the internet of things botnet that took down the internet

The rise of the Mirai botnet was swift and dramatic. From its discovery in mid-2016, to taking down many of the internet's most popular websites just months later. What differentiates Mirai – Japanese for ‘the future’ – was that it infected unsecured internet of things (IoT) devices, like DVRs and IP cameras. And it largely slipped under the radar until it was large enough to launch sustained, significant and record-breaking attacks.

Read on for a reverse timeline on how Mirai has evolved to date, who’s involved, and who the victims are of this alarmingly powerful IoT botnet.

Image credit: Krebs on Security

December 2017: Suspects admit guilt in Mirai botnet
iStock

December 2017: Suspects admit guilt in Mirai botnet

Two people have pleaded guilty to their role in developing and then deploying the Mirai internet of things botnet.

KrebsOnSecurity flagged Paras Jha, 21, and Josiah White, 20, as likely culprits behind the malware in January this year. Ironically, they ran a business that provided mitigation against large-scale DDoS attacks.

They also pleaded guilty to charges of using Mirai to commit online click fraud, which they admitted netted them roughly $180,000 worth in Bitcoin.

According to court documents, a third person, Dalton Norman, 21, rented the botnet to generate his own income through click fraud. They say that Norman assisted Jha and White in finding new exploits in IoT devices to further spread the malware.

Mirai successfully exploited flaws in IoT devices such as IP cameras and consisted of as many as a record-breaking 300,000 devices at its height, Krebs writes, and successfully booted large sections of the internet offline.

February 2017: British man arrested under suspicion of Deutsche Telekom attack
Getty Images

February 2017: British man arrested under suspicion of Deutsche Telekom attack

The National Crime Agency arrested a 29-year-old man at Luton airport under suspicion of being the perpetrator of the Deutsche Telekom Mirai attack. Germany’s federal criminal police force is seeking extradition, who are treating the crime as a threat to the country’s wider infrastructure.

February 2017: Mirai variant turns to Windows
Getty Images/iStockphoto

February 2017: Mirai variant turns to Windows

Kaspersky Lab researchers found that a Chinese-speaking hacker had created a version of Mirai based on the Windows operating system. The company pointed out that its ability to spread across operating systems was limited: “It can only deliver the Mirai bots from an infected Windows host to a vulnerable Linux IoT device if it is able to successfully brute-force a remote telnet connection.”

But it was a signal that the Mirai threat will evolve in new and unexpected ways, the researchers said, for some time to come.

The bot was coded and compiled on a Chinese system, Kaspersky added, and signed with stolen code-signing certificates from Xi’an JingTech electronic Technology and Partner Tech (Shanghai), a pair of silicon and wafer manufacturers.

January 2017: Brian Krebs says he knows the identity of the Mirai author
Getty Images/iStockphoto

January 2017: Brian Krebs says he knows the identity of the Mirai author

The security researcher whose own site was first famously attacked by Mirai, Brian Krebs, put in “hundreds of hours of research” – ultimately claiming that there were enough similarities between ‘Anna-Senpai’ to the owner of a DDoS mitigation company called ProTraf Solutions, Paras Jha.

December 2016: TalkTalk and Post Office telecom hit by Mirai
Getty Images/iStockphoto

December 2016: TalkTalk and Post Office telecom hit by Mirai

British ISP TalkTalk reported that customers using its Dlink DSL-3780 router had been targeted by Mirai. Post Office Telecom, meanwhile, said that it had also been targeted by a suspected Mirai attack that left customers without access to broadband.

November 2016: Mirai goes on sale
iStock

November 2016: Mirai goes on sale

Two hackers calling themselves BestBuy and Popopret began advertising that their Mirai botnet of 400,000 bots was up for rent. BestBuy told a journalist for Motherboard that the two of them were behind the Deutsche Telekom outage and apologised. “It was not our intention,” BestBuy said.

Buyers could rent 20,000 compromised nodes for $2,000 to launch hour-long attacks across two weeks. For $20,000, customers could make full use of 600,000 bots capable of reaching traffic of 700 Gbps.

November 2016: Mirai shuts down web access for almost a million Germans
iStock

November 2016: Mirai shuts down web access for almost a million Germans

An updated type of Mirai running code that exploits security holes in routers by OEM manufacturers Zyxel and Speedport brought down web access for almost a million Deutsche Telekom customers for two days.

Researchers at ICS SANS said: “For the last couple days, attacks against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This may have already caused severe issues for German ISP Deutsche Telekom and may affect others as well. For Deutsche Telekom, Speedport routers appeared to be the main issue.”

November 2016: Mirai takes Liberia offline
Getty Images/iStockphoto

November 2016: Mirai takes Liberia offline

Mirai DDoS took much of Liberia’s websites offline throughout a week in November. Security researcher Kevin Beaumont wrote at the time: “Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access.

"From monitoring we can see websites hosted in the country going offline during the attacks – additionally a source in the country at a telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack.

"The attacks are extremely worrying because they suggest a Mirai operator who has enough capacity to seriously impact systems in a nation state.”

October 2016: Spotify, Reddit, Twitter taken offline by Mirai
Getty Images

October 2016: Spotify, Reddit, Twitter taken offline by Mirai

Dyn, a core internet services provider for Twitter, Spotify, Reddit and other popular websites, was hit with an enormous DDoS attack on its DNS infrastructure on the east coast of America. The DDoS caused the sites to slow down or stop working entirely.

October 2016: Known Mirai-infected bots double
iStock

October 2016: Known Mirai-infected bots double

Colorado-based Level 3 Communications examined the command and control (C2) server that communicates with compromised IoT devices and estimated that these rose from 213,000 to at least 493,000 since the source code was made public.

“We have been able to identify bots via communications with the C2,” Level 3 wrote. “Once new bots are identified, their common communications lead to new C2s, which then lead to more bots.”

October 2016: Mirai source code released

October 2016: Mirai source code released

Someone called Anna-senpai said on the Hackforums message board that the scope of the Krebs attack had caused ISPs to “clean up their act” – and that the “max pull is about 300k bots, and dropping.” So the user made the code open source, free for all to access.

September 2016: OVH hit by Mirai
iStock

September 2016: OVH hit by Mirai

The CTO of French cloud and web hosting company OVH, Octave Klaba, reported a huge DDoS attack on several of its customer’s websites. Klaba noted that the attacks came from 145,607 separate devices, sending a DDoS at OVH at more than 1.5 Terabytes per second. They were largely from WebIP cameras, but OVH also noticed traffic from routers, NAS boxes, DVRs and Raspberry Pis.

“What all these connected devices have in common is the existence of security vulnerabilities caused by a flawed software design or gross negligence on the part of their manufacturers,” OVH wrote in a blog post.

September 2016: KrebsOnSecurity hit by record-breaking DDoS
iStock

September 2016: KrebsOnSecurity hit by record-breaking DDoS

Independent security researcher Brian Krebs had a DDoS pointed at his website in September, running at an astonishing 620 Gigabits per second. The company that protects his website, Akamai, noted that the attack appeared to “have been launched almost exclusively by a very large botnet of hacked devices”.

“Someone has a botnet with capabilities we haven’t seen before,” Akamai’s Martin McKeay said. “We looked at the traffic coming from the attacking systems, and they weren’t just from one region of the world or from a small subset of networks, they were everywhere.”

August 2016: Discovery
iStock

August 2016: Discovery

White hat security researchers at MalwareMustDie discovered a new trojan that played on the ELF file execution format found in Unix. They discovered that the binary was called “mirai.*”, and its main functionality was sending out telnet attacks to other systems. MalwareMustDie warned at the time that ELF Linux/Mirai had an extremely low detection ratio, including in x86 architecture. “The reason for the lack of detection is because of the lack of samples, which are difficult to fetch from the infected IoT devices, routers, DVR, or WebIP Camera,” they wrote.

In short, Mirai searches the internet for devices that are easy to compromise and brute-forces its way in using a list of simple passwords. It then hunts for more vulnerable devices via the Telnet remote network protocol, creating an enormous self-replicating network that can be pointed at websites or services.

Copyright © 2017 IDG Communications, Inc.