New research presented at the USENIX conference is providing deep insight into the evolution of the Mirai botnet over a seven-month period.
The Mirai botnet first achieved notoriety in September 2016 after attacking the site of a popular security blogger and hosting provider OVH with nearly 1 Terabit per second of Distributed Denial of Service (DDoS) attack traffic. In October, Mirai brought the internet to a near standstill for many users in the East Coast of the U.S with one of the largest DDoS attacks ever recorded.
The 19-page study titled, 'Understanding the Mirai Botnet' was authored by long list of contributors, including: Manos Antonakakis, Georgia Institute of Technology; Tim April, Akamai; Michael Bailey, University of Illinois, Urbana-Champaign; Matt Bernhard, University of Michigan, Ann Arbor; Elie Bursztein, Google; Jaime Cochran, Cloudflare; Zakir Durumeric and J. Alex Halderman, University of Michigan, Ann Arbor; Luca Invernizzi, Google; Michalis Kallitsis, Merit Network, Inc.; Deepak Kumar, University of Illinois, Urbana-Champaign; Chaz Lever, Georgia Institute of Technology; Zane Ma and Joshua Mason, University of Illinois, Urbana-Champaign; Damian Menscher, Google; Chad Seaman, Akamai; Nick Sullivan, Cloudflare; Kurt Thomas, Google; Yi Zhou, University of Illinois, Urbana-Champaign.
The study provides insight from analysis and data collected from Aug. 1 2016 to Feb. 28, 2017, showing how the botnet evolved over that time period.
"We track the outbreak of Mirai and find the botnet infected nearly 65,000 IoT devices in its first 20 hours before reaching a steady state population of 200,000 – 300,000 infections," the report states. "These bots fell into a narrow band of geographic regions and autonomous systems, with Brazil, Columbia, and Vietnam disproportionately accounting for 41.5 percent of infections."
Mirai evolved through multiple stages over the seven months that the research analyzed. The initial infection state included 200,000–300,000 infections by the end of September 2016. Mirai hit a peak of 600,000 infections at the end of November 2016 and declined to approximately 100,000 infections at the end February 2017.
The Mirai botnet was noteworthy in that it took specific aim at Internet of Things (IoT) connected devices by exploiting publicly known or default login credentials. The researchers were able to identify 84 devices and/or vendors associated with the passwords used by Mirai to exploit devices.
Mirai's source code was publicly released or leaked at the end of September 2016, which led to the creation of new variants and capabilities.
"While the original Mirai variant infected devices by attempting Telnet and SSH logins with a static set of credentials, later strains evolved to scan for other types of vulnerabilities," the report states.
While the Mirai ecosystem grew significantly after the public source code release, the researchers noted that the botnet already had multiple variants prior to September 2016.
"Between August 7, 2016 and September 30, 2016 — when the source code was publicly released — 24 unique Mirai binaries were uploaded to VirusTotal," the reports states. "After the public release, we observed the rapid emergence of new features, ranging from improved infection capabilities to hardened binaries"
Overall, the report found that by statically analyzing over 1,000 malware samples, the researchers were able to determine that Mirai-related botnets were responsible for over 15,000 attacks.
Mirai is perhaps the largest IoT driven botnet ever yet seen on the internet, though it didn't exploit any particularly unique or previously unknown security vulnerabilities.
"We find that the absence of security best practices — established in response to desk- top worms and malware over the last two decades — has created an IoT substrate ripe for exploitation," the report states. "Without improved defenses, IoT-based attacks are likely to remain a potent adversarial technique as bot net variants continue to evolve and discover new niches to infect."
"In light of this, Mirai seems aptly named — it is Japanese for - the Future," the report warns.
Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.