Hubbry Logo
Mirai (malware)Mirai (malware)Main
Open search
Mirai (malware)
Community hub
Mirai (malware)
logo
7 pages, 0 posts
0 subscribers
Be the first to start a discussion here.
Be the first to start a discussion here.
Mirai (malware)
Mirai (malware)
Mirai (malware)
View on Wikipedia
from Wikipedia
Mirai
Original authorsParas Jha, Josiah White and Dalton Norman
Repository
Written inC (agent), Go (controller)
Operating systemLinux
TypeBotnet
LicenseGNU General Public License v3.0
Websitegithub.com/jgamblin/Mirai-Source-Code Edit this on Wikidata

Mirai (from the Japanese word for "future", 未来) is malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers.[1] The Mirai botnet was first found in August 2016[2] by MalwareMustDie,[3] a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016[4] on computer security journalist Brian Krebs' website, an attack on French web host OVH,[5] and the October 2016 DDoS attacks on Dyn.[6][7] According to a chat log between Anna-senpai (the malware's original author) and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.[8]

The software was initially used by the creators to DDoS Minecraft servers and companies offering DDoS protection to Minecraft servers, with the authors using Mirai to operate a protection racket.[9] The source code for Mirai was subsequently published on Hack Forums as open-source.[10] Since the source code was published, the techniques have been adapted in other malware projects.[11][12]

Malware

[edit]

Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.[13]

Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them.[5][14][15] Infected devices will continue to function normally, except for occasional sluggishness,[14] and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.[14] Upon infection Mirai will identify any "competing" malware, remove it from memory, and block remote administration ports.[16]

Victim IoT devices are identified by “first entering a rapid scanning phase where it asynchronously and “statelessly” sent TCP SYN probes to pseudo-random IPv4 addresses, excluding those in a hard-coded IP blacklist, on telnet TCP ports 23 and 2323”.[17] If an IoT device responds to the probe, the attack then enters into a brute-force login phase. During this phase, the attacker tries to establish a telnet connection using predetermined username and password pairs from a list of credentials. Most of these logins are default usernames and passwords from the IoT vendor. If the IoT device allows the Telnet access, the victim's IP, along with the successfully used credential is sent to a collection server.

There are a large number of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack.[14] The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.

Mirai as an Internet of things (IoT) devices threat has not been stopped after the arrest of the actors.[citation needed] Some[who?] believe that other actors are utilizing the source code on GitHub to evolve Mirai into new variants. They[who?] speculate that the goal is to expand its botnet node to many more IoT devices. The detail of the recent progress of these variants is listed in the following paragraphs.

Variants

[edit]

On 12 December 2017, researchers identified a variant of Mirai exploiting a zero-day flaw in Huawei HG532 routers to accelerate Mirai botnets infection,[18] implementing two known SOAP related exploits on routers web interface, CVE-2014–8361 and CVE-2017–17215. This Mirai version is called "Satori".

On 14 January 2018, a new variant of Mirai dubbed “Okiru”, the Japanese word for "get up," already targeting popular embedded processor like ARM, MIPS, x86, PowerPC[19] and others was found targeting ARC processors based Linux devices[20] for the first time. Argonaut RISC Core processor (shorted: ARC processors) is the second-most-popular embedded 32 bit processor, shipped in more than 1.5 billion products per year, including desktop computers, servers, radio, cameras, mobile, utility meters, televisions, flash drives, automotive, networking devices (smart hubs, TV modems, routers, wifi) and Internet of Things. Only a relatively small number of ARC-based devices run Linux and are therefore exposed to Mirai.

On 18 January 2018, a successor of Mirai is reported to be designed to hijack cryptocurrency mining operations.[21]

On 26 January 2018, two similar Mirai variant botnets were reported, the more modified version of which weaponizes EDB 38722 D-Link router's exploit to enlist further vulnerable IoT devices. The vulnerability in the router's Home Network Administration Protocol (HNAP) is utilized to craft a malicious query to exploited routers that can bypass authentication, to then cause an arbitrary remote code execution. The less modified version of Mirai is called "Masuta" (after the Japanese transliteration of "Master"), while the more modified version is called "PureMasuta".[22]

In March 2018, a new variant of Mirai, dubbed as "OMG", has emerged to surface with added configurations to target vulnerable IoT devices and turning them into proxy servers. New firewall rules that allow traffic to travel through the generated HTTP and SOCKS ports were added configurations to the Mirai code. Once these ports are open to traffic, OMG sets up 3proxy – open-source software available on a Russian website.[23]

Between May and June 2018, another variant of Mirai, dubbed as "Wicked", has emerged with added configurations to target at least three additional exploits including those affecting Netgear routers and CCTV-DVRs. Wicked scans ports 8080, 8443, 80, and 81 and attempts to locate vulnerable, unpatched IoT devices running on those ports. Researchers suspect the same author created the Wicked, Sora, Owari, and Omni botnets.[24][25]

In early July 2018 it was reported at least thirteen versions of Mirai malware has been detected actively infecting Linux Internet of things (IoT) in the internet, and three of them were designed to target specific vulnerabilities by using exploit proof of concept, without launching brute-forcing attack to the default credential authentication.[26] In the same month it was published a report of infection campaign of Mirai malware to Android devices through the Android Debug Bridge on TCP/5555, an optional feature in the Android operating system, though it was discovered that this feature appears to be enabled on some Android phones.[27]

At the end of 2018, a Mirai variant dubbed "Miori" started being spread through a remote code execution vulnerability in the ThinkPHP framework, affecting versions 5.0.23 to 5.1.31. This vulnerability is continuously being abused by the further evolved Mirai variants dubbed as "Hakai" and "Yowai" in January 2019, and variant "SpeakUp" in February, 2019.[28]

The Mirai-based “Gayfemboy” botnet, discovered in 2024, targets global systems and exploits multiple vulnerabilities. The effects were also evident in 2025.[29]

Use in DDoS attacks

[edit]

Mirai was used, alongside BASHLITE,[30] in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s.[31] Ars Technica also reported a 1 Tbit/s attack on French web host OVH.[5]

On 21 October 2016, multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, many of which were still using their default usernames and passwords.[32] These attacks resulted in the inaccessibility of several high-profile websites, including GitHub, Twitter, Reddit, Netflix, Airbnb and many others.[33] The attribution of the Dyn attack to the Mirai botnet was originally reported by Level 3 Communications.[30][34]

Mirai was later revealed to have been used during the DDoS attacks against Rutgers University from 2014 to 2016, which left faculty and students on campus unable to access the outside Internet for several days at a time. Additionally, a failure of the university's Central Authentication Service caused course registration and other services to become unavailable during critical times in the academic semester. The university reportedly spent $300,000 in consultation and increased the cyber-security budget of the university by $1 million in response to these attacks. The university cited the attacks among its reasons for the increase in tuition and fees for the 2015–2016 school year.[35] A person under the alias "exfocus" claimed responsibility for the attacks, stating in a Reddit AMA on the /r/Rutgers subreddit that the user was a student at the school and the DDoS attacks were motivated by frustrations with the university's bus system. The same user later claimed in an interview with a New Jersey–based blogger that they had lied about being affiliated with the university and that the attacks were being funded by an anonymous client. Security researcher Brian Krebs later alleged the user was indeed a student at Rutgers University and that the latter interview was given in an attempt to distract investigators.[8]

Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.[36]

Mirai has also been used in an attack on Liberia's Internet infrastructure in November 2016.[37][38][39] According to computer security expert Kevin Beaumont, the attack appears to have originated from the actor which also attacked Dyn.[37]

Its DDoS attacks were also notable in Brazil, Taiwan, Costa Rica and India.[40]

Other notable incidents

[edit]

At the end of November 2016, approximately 900,000 routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices.[41][42] While TalkTalk later patched their routers, a new variant of Mirai was discovered in TalkTalk routers.[43]

A British man suspected of being behind the attack was arrested at Luton Airport, according to the BBC.[44]

Identity of the author

[edit]

On January 17, 2017, computer security journalist Brian Krebs posted an article on his blog, Krebs on Security, where he disclosed the name of the person who he believed to have written the malware. Krebs stated that the likely real-life identity of Anna-senpai (named after Anna Nishikinomiya, a character from Shimoneta), the author of Mirai, was actually an Indian-American Paras Jha, the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University. In an update to the original article, Paras Jha responded to Krebs and denied having written Mirai.[8] The FBI was reported to have questioned Jha on his involvement in the October 2016 Dyn cyberattack.[45] On December 13, 2017, Paras Jha, Josiah White, and Dalton Norman entered a guilty plea to crimes related to the Mirai botnet.[46] The trio assisted the government with other cybersecurity investigations, and were sentenced to probation and community service without imprisonment.[47]

Daniel Kaye, 29, also known as alias "BestBuy", "Popopret" or "Spiderman", has been accused of "using an infected network of computers known as the Mirai botnet to attack and blackmail Lloyds Banking Group and Barclays banks," according to the NCA. He has been extradited from Germany to the UK according to the same report. Kaye has also pleaded guilty in court on hijacking more than 900,000 routers from the network of Deutsche Telekom.[48][49]

Researchers later pointed to the handle name "Nexus Zeta" as responsible for the author of new variants of Mirai (dubbed as Okiru, Satori, Masuta and PureMasuta),[50][51][22] and on August 21, 2018, an American grand jury indicted Kenneth Currin Schuchman, 20, aka Nexus Zeta, of knowingly causing the transmission of a program, information, code, and commands, and as result of such conduct intentionally causing damage without authorization to protected computers, according to the indictment filed in U.S. District Court in Anchorage,[52][53] followed by the arrest and trial of the suspect.[54]

[edit]

American electronic musician and composer James Ferraro's 2018 album Four Pieces for Mirai references Mirai in its ongoing narrative.

See also

[edit]

References

[edit]

Further reading

[edit]
Revisions and contributorsEdit on WikipediaRead on Wikipedia

Mirai (malware)

View on Grokipedia
from Grokipedia
Mirai is self-propagating that primarily targets Linux-based (IoT) devices, such as IP cameras and routers, by scanning for open or SSH ports and brute-forcing weak or default credentials to infect and enslave them into a for distributed denial-of-service (DDoS) attacks. Emerging in August 2016, Mirai rapidly expanded to infect hundreds of thousands of devices due to its aggressive propagation mechanism, which includes random IP scanning across the , attempting logins with a hardcoded list of over 60 common username-password pairs, and terminating competing processes to secure dominance on the host. The botnet's command-and-control infrastructure used hardcoded IP addresses for infected devices to report back, enabling operators to direct DDoS payloads like floods, ACK floods, and novel vectors such as GRE IP and Ethernet floods. Mirai gained notoriety for orchestrating unprecedented DDoS campaigns, including a September 2016 attack on researcher ' website that peaked at 620 Gbps—then the largest recorded—and an October assault on DNS provider Dyn that exceeded 1 Tbps, causing widespread internet disruptions for services including , , and . Its was publicly released later that month, ostensibly by its primary developer, which democratized its replication and spawned dozens of variants still active in 2025, underscoring persistent IoT vulnerabilities rooted in manufacturers' failure to enforce strong .

Overview

Core Functionality and Design Principles

Mirai operates as a self-propagating worm targeting (IoT) devices, primarily those with embedded systems and weak authentication, to assemble a distributed denial-of-service (DDoS) . Its core functionality centers on scanning the IPv4 for vulnerable devices, infecting them via brute-force credential attacks over (ports 23 and 2323), and coordinating the compromised "bots" to execute high-volume DDoS floods against designated targets. Once infected, bots report to a command-and-control (C&C) server, which issues directives for attacks including UDP floods, TCP SYN/ACK floods, GRE packet floods (capable of up to 280 Gbps per ), HTTP floods with spoofed user agents, and DNS amplification. The malware's propagation relies on a dictionary of approximately 62 hardcoded username-password pairs, such as "admin:admin," exploiting factory-default credentials common in devices like CCTV cameras, recorders (DVRs), and routers. The botnet's architecture emphasizes modularity and efficiency, comprising distinct components: a scanner module for random address probing and credential testing, a loader server for delivering architecture-specific binaries (e.g., for MIPS, ARM, x86), and a "killer" function that terminates competing malware processes to secure territorial dominance on the host. Bots are implemented in C for lightweight execution on resource-constrained IoT hardware, while the C&C infrastructure uses Go for server-side operations, enabling scalable management of up to 600,000 infections observed by late 2016. Design principles prioritize simplicity over complex exploits, avoiding zero-day vulnerabilities in favor of widespread misconfigurations, with stateless scanning that achieves rapid doubling times (e.g., 75 minutes in early infections). Propagation is worm-like but constrained by low-bandwidth devices, generating pseudorandom IPv4 targets and self-limiting scans to evade detection, while infected bots hide processes (e.g., via names mimicking legitimate services) and exclude certain IP ranges, such as those of the U.S. Postal Service. Mirai's DDoS efficacy stems from aggregating the outbound capacity of infected devices into volumetric attacks, peaking at 623 Gbps in documented incidents, with attack vectors tailored to amplify traffic such as GRE IP/Ethernet floods and TCP STOMP. The design incorporates evasion through encrypted command strings and emulation of legitimate traffic patterns, though it lacks advanced beyond reinfection attempts. This approach reflects a pragmatic focus on exploiting IoT ecosystem flaws—prioritizing speed and scale over sophistication—enabling operators to repurpose bots across multiple C2 clusters without device-specific customizations.

Initial Detection and Scale

Mirai was first detected on August 1, 2016, through network scans originating from a single IP address, marking the initial observation of its propagation activity. Independent analysis by the white-hat security group MalwareMustDie confirmed the malware's presence in the wild on August 4, 2016, identifying it as a recycled ELF trojan targeting Linux-based IoT devices via telnet exploits and default credentials. Early samples exhibited low antivirus detection rates and self-deletion mechanisms, complicating retrieval and initial containment efforts. The botnet demonstrated explosive early growth, infecting 64,500 devices within the first 20 hours of observed activity, with infection rates doubling approximately every 75 minutes due to its aggressive scanning and brute-force propagation against vulnerable IoT hardware such as cameras, DVRs, and routers. By September 2016, the network stabilized at 200,000 to 300,000 infections, concentrated in regions like Brazil (15%), Colombia (14%), and Vietnam (12.5%), reflecting the global distribution of unsecured devices. This rapid scaling enabled DDoS attacks of unprecedented volume, including the September 20-21 assault on KrebsOnSecurity, which peaked at 623 Gbps using around 145,000 bots, highlighting Mirai's capacity to weaponize everyday consumer devices en masse. Peak infections reached approximately 600,000 devices by late November 2016, before declining to around 100,000 by February 2017 amid sinkholing efforts and release on September 30, 2016, which spurred variants but fragmented the original . The malware's scale underscored systemic vulnerabilities in IoT manufacturing, where default or weak credentials allowed unchecked horizontal infection across networks.

Technical Architecture

Infection and Propagation Methods

Mirai primarily infects Linux-based (IoT) devices, such as routers, IP cameras, and digital video recorders, by exploiting weak or default credentials rather than software vulnerabilities. Infected devices continuously scan the IPv4 address space using random selection algorithms to identify potential targets, probing for open ports (typically TCP ports 23 and 2323) and, less frequently, SSH services. This scanning is distributed across the , with each compromised device contributing to the propagation effort, enabling rapid ; for instance, during its 2016 peak, Mirai's scanners generated billions of connection attempts per day. Upon detecting an open Telnet port, the malware attempts authentication using a hardcoded list of approximately 62 common username-password combinations, such as "root" with passwords like "xc3511", "vizxv", or "admin", which are defaults found on many mass-produced IoT devices from manufacturers like XiongMai Technologies. This method relies on rather than full brute-force or dictionary attacks, prioritizing speed and efficiency by avoiding adaptive defenses like . Successful logins prompt the device to download an architecture-specific binary (supporting MIPS, , x86, SPARC, and others) via tools like , tftp, or , which is then executed to install the . Post-infection, the malware establishes persistence by killing processes associated with competing botnets (e.g., those using strings like "telnetd" or known signatures), overwriting memory, and setting up background processes or jobs to ensure self-restart. The newly infected bot then connects to a hardcoded report server to register itself, after which it begins independent scanning and , forming a self-sustaining network without requiring further loader intervention for routine spread. This decentralized model, combined with the vast number of insecure IoT devices—estimated at hundreds of thousands infected in Mirai's early waves—allowed the botnet to scale to over 500,000 nodes by 2016.

Command-and-Control Operations

Mirai's command-and-control (C2) operations relied on a centralized where infected bots connected to a hardcoded list of C2 servers, typically identified by IP addresses or domains embedded in the binary. These servers, implemented in the Go programming language, coordinated activities by issuing directives to compromised IoT devices. Bots established outbound TCP connections to C2 endpoints, often on port 23, to receive operational instructions, enabling operators to orchestrate distributed denial-of-service (DDoS) campaigns without direct device access. The employed a custom binary format, reverse-engineered from samples, featuring asynchronous command dispatching from C2 to bots. Traffic between bots and servers was obfuscated using a simple XOR-based , though some analyses describe it as minimally encrypted to evade basic monitoring, with no advanced cryptographic standards like TLS. Bots initiated sessions by reporting their presence and capabilities, after which C2 servers broadcast commands specifying attack vectors, such as UDP floods, SYN floods, or HTTP floods, including target IP addresses, ports, packet sizes, and durations—up to 1 Tbps in peak incidents. Successful reports were routed to separate hardcoded report servers, distinct from primary C2 nodes, to facilitate propagation tracking. Command issuance operated hierarchically: C2 clusters, numbering around 33 identified via DNS lookups, managed subsets of bots, with operators observing over 64,000 unique commands across 484 C2 IPs from September 2016 to February 2017. Attack commands were stateless, requiring no persistent bot acknowledgments beyond initial check-ins, which minimized overhead on resource-constrained IoT hardware but exposed the botnet to disruption by targeting centralized C2 endpoints. This design prioritized for massive DDoS amplification, leveraging unsecured devices for raw volumetric attacks rather than stealthy . Post-2016 leak, original C2 vulnerabilities—such as reliance on static servers—prompted variants to adopt dynamic domain generation or elements, but core Mirai operations remained vulnerable to seizures of key infrastructure, as demonstrated by arrests tied to server hosting in 2017.

Evasion and Persistence Features

Mirai achieves persistence primarily through daemonization, running silently as a background process on compromised IoT devices to execute DDoS tasks and continue scanning for new victims. Unlike that installs boot-time hooks or jobs, Mirai lacks mechanisms to survive device reboots, relying instead on the botnet's ongoing to reinfect devices post-restart. To maintain operational dominance, it systematically kills competing processes, targeting those listening on TCP ports 22 (SSH) and 23 () via functions like killer_kill_by_port, as well as specific rival such as Qbot and variants containing ".anime" in their paths, using memory scraping and forceful termination signals (e.g., kill(pid, 9)). This "botnet hygiene" eliminates resource contention and reduces the likelihood of interference from other infections. For evasion, Mirai deletes the downloaded infection binary from temporary directories (e.g., /tmp/) immediately after execution, erasing direct forensic traces of its delivery. It further obfuscates its presence by assigning pseudorandom alphanumeric strings to process names, complicating identification through process listings or monitoring tools. The original lacks sophisticated anti-analysis features like sandbox detection or checks, prioritizing rapid infection over environmental probing; however, subsequent binaries from mid-September 2016 onward incorporated packing to impede efforts. Network-level evasion includes using common user-agents (e.g., mimicking Chrome or ) during HTTP floods to blend with legitimate traffic and adapting to defenses like by recognizing their response signatures.

Origins and Development

Creators' Background and Intentions

The primary developers of Mirai were Paras Jha, Josiah White, and Dalton Norman, three young self-taught programmers in their late teens during the malware's creation in 2016. Jha, then 19 and residing in , was a student at who had emigrated from as an infant and demonstrated academic aptitude but struggled with sustained focus, eventually dropping out. White, also 19, lived in , was homeschooled in a Christian family, and assisted in his family's computer repair business, honing programming skills independently. Norman, 20 and from (near New Orleans), overcame personal challenges including a stutter and the impacts of through self-directed coding. The trio connected via online hacking forums like and platforms such as and , initially bonding over interests in administration and competitive DDoS tactics against gaming rivals. Their motivations stemmed from a mix of technical curiosity, desire for peer recognition in underground communities, and opportunistic profit-seeking, rather than ideological or state-sponsored aims. Jha and , operating under pseudonyms like "og_richard_stallman" and "," sought to innovate beyond existing DDoS tools by targeting vulnerable (IoT) devices, viewing Mirai as a novel means to achieve overwhelming scale— described the drive as wanting "to make something cool" and earn respect, while Jha likened it to possessing a "secret superpower." Early development focused on infecting devices like routers and cameras with weak default credentials, tested initially on personal websites and servers such as amid gaming feuds, including Jha's repeated attacks on Rutgers University's network to disrupt competitors. This evolved into commercial exploitation through ProTraf Solutions LLC, a firm they co-founded to offer while secretly deploying attacks for or sale, generating earnings estimated at around $14,000 from Mirai-related services and additional revenue from ancillary click-fraud schemes infecting over 100,000 devices. In December 2017, Jha, White, and Norman pleaded guilty to conspiracy charges under the for developing Mirai, which infected hundreds of thousands of IoT devices to form botnets capable of DDoS attacks peaking at over 300,000 nodes, admitting to unauthorized access and damage without attributing broader criminal uses like the 2016 Dyn outage directly to themselves. Jha faced additional penalties for the Rutgers assaults, reflecting personal vendettas tied to his student experiences, while the group's actions prioritized scalable disruption for hire over targeted malice, as evidenced by their forfeiture of proceeds approximating $225,000. These admissions, detailed in U.S. Department of Justice filings, underscore a progression from hobbyist experimentation to monetized , enabled by the era's proliferation of unsecured IoT hardware.

Code Release and Proliferation Factors

The source code for Mirai was publicly released on October 1, 2016, by a user named "Anna-senpai" on the hacking forum Hackforums, shortly after high-profile DDoS attacks attributed to the , including one targeting security researcher on September 20, 2016. The approximately 3,000 lines of C code, comprising components for scanning, , and command-and-control, were posted without restrictions, enabling immediate access and by the cybersecurity community and malicious actors alike. Anna-senpai claimed the release was intended to demonstrate the botnet's mechanics while discouraging further misuse, though this did not prevent exploitation; the code's authorship was later traced to Paras Jha and associates during U.S. legal proceedings. Proliferation accelerated due to the code's open availability, which lowered barriers for novice and experienced threat actors to customize and deploy variants, spawning derivatives like and Masuta within weeks. Mirai's worm-like self-propagation—scanning for TCP port 23 () and exploiting over 60 hardcoded default credentials on Linux-based IoT devices—combined with minimal modifications needed for reuse, facilitated rapid rebuilding; by late 2016, variant infections numbered in the millions across routers, cameras, and DVRs. The IoT ecosystem's systemic vulnerabilities, including factory-default passwords and unpatched , provided a vast , with estimates of 500,000 to 1 million devices infectable daily post-release. Economic incentives in underground markets further drove adoption, as operators rented DDoS capacity for $5–$100 per hour, outcompeting proprietary tools and attracting state-affiliated and criminal groups seeking scalable disruption without building from scratch. Limited vendor responses, such as delayed updates, and the absence of widespread IoT standards exacerbated spread, with variants evading takedowns by altering C2 infrastructure or incorporating features like kill switches to claim infected devices. This democratization of technology shifted Mirai from a single-operator tool to a foundational template, influencing over 100 documented variants by 2017.

Key Incidents and Deployments

Pre-2016 Testing and Early Uses

Paras Jha, the primary developer of Mirai, conducted early DDoS attacks using unrelated s prior to Mirai's creation, providing foundational experience in botnet operations that influenced its design. On November 19, , Jha launched a DDoS attack on Rutgers University's registration website employing approximately 40,000 bots to target the central authentication server. Subsequent attacks followed, including one on March 4, 2015, at 8:15 p.m. EST, and a four-day disruption starting March 27, 2015, affecting 50,000 students, faculty, and staff. In September 2015, Jha targeted Rutgers again to promote his DDoS-mitigation firm, ProTraf Solutions. These pre-Mirai efforts utilized tools like variants of the Qbot and competed with services such as vDOS, demonstrating Jha's focus on overwhelming targets in competitive online environments, particularly rivalries. Mirai's own development began in May 2016, when Jha partnered with Josiah White to build upon earlier concepts, culminating in the first operational version by 2016. Initial testing involved rapid , infecting 65,000 IoT devices within 20 hours through scanning for vulnerable embedded systems with weak default credentials. Early deployments targeted gaming infrastructure, including DDoS attacks on rival servers and mitigation providers like OVH's VAC, aimed at securing competitive advantages and monetizing stress-testing services. These uses preceded larger-scale incidents, with Mirai also directed at servers during Jha's enrollment there, leveraging the botnet's growing scale for personalized disruptions. No verified evidence indicates Mirai activity before , as its specifically exploited the rising prevalence of unsecured IoT devices at that time.

2016 Peak Attacks

In September 2016, the Mirai botnet launched a distributed denial-of-service (DDoS) attack against the website of security researcher , peaking at approximately 620 Gbps of traffic. This assault, which began around September 20, was reportedly in retaliation for Krebs' investigative reporting on the malware's author, and it overwhelmed initial defenses until mitigation by Akamai Prolexic, which absorbed the volume using specialized scrubbing centers. The attack highlighted Mirai's capacity for sustained high-volume floods, primarily through UDP and TCP amplification methods exploiting IoT device bandwidth. Shortly thereafter, in late September 2016, Mirai targeted French hosting provider OVH in one of the largest recorded DDoS attacks at the time, exceeding 1 Tbps in volume and involving over 600,000 compromised IoT devices. OVH reported the assault as a multi-vector attack peaking at 1.1 Tbps or higher, which tested their anti-DDoS infrastructure but was ultimately contained without widespread outage. This incident underscored the botnet's scale during its operational peak, as the infected devices generated traffic far beyond traditional DDoS sources. The most disruptive 2016 attack occurred on , when Mirai-powered s struck DNS provider Dyn in multiple waves, causing intermittent outages for services including , , , and . Dyn estimated involvement of around 100,000 malicious endpoints, with traffic volumes comparable to prior Mirai strikes at over 1 Tbps in aggregate, though the impact stemmed more from DNS resolution failures than raw bandwidth saturation. These attacks, lasting several hours, amplified concerns over IoT vulnerabilities, as Mirai's self-propagating nature enabled rapid botnet growth to hundreds of thousands of nodes by mid-2016.

Post-Source Code Incidents

Following the public release of Mirai's source code on November 25, 2016, multiple independent actors adapted the malware into new botnets, sustaining high-volume DDoS campaigns into subsequent years. These post-leak deployments often involved variants that incorporated fresh exploits to evade defenses and expand infection vectors, resulting in disruptions to networks and services worldwide. One prominent example was the Satori variant, first observed in December 2017, which exploited a remote code execution vulnerability (CVE-2017-17215) in Huawei HG532 routers to rapidly propagate. Within days of its emergence, Satori infected tens of thousands of devices, generating massive scanning traffic and enabling DDoS attacks peaking at hundreds of gigabits per second against targeted infrastructure. The botnet's operator, Kenneth Schuchman, admitted to deploying Satori to compromise thousands of IoT devices for unauthorized DDoS operations, leading to his indictment in 2018 and a 13-month prison sentence in 2020. In parallel, the Okiru variant, detected around October 2017, marked the first Mirai derivative to target devices using ARC processors, such as certain routers and DVRs from vendors like and . By January 2018, Okiru had incorporated exploits for multiple vulnerabilities, potentially exposing over 1.5 billion ARC-based IoT devices to infection and bolstering DDoS with diverse hardware. This expansion contributed to heightened DDoS activity in 2018, including attacks on broadband providers and financial targets, though specific volumetric peaks were often attributed to combined efforts rather than isolated incidents. By 2018, variants like OMG further evolved Mirai by integrating mining alongside DDoS capabilities, infecting devices via weak credentials and unpatched flaws to sustain prolonged attack campaigns. These post-source adaptations amplified global DDoS frequency by 39% from early to mid-2018, with Mirai-derived botnets responsible for a significant share of IoT-fueled traffic floods exceeding 100 Gbps. Later iterations, such as Satori's 2021 exploitation of CVE-2020-9020 in Vantage Velocity units, demonstrated ongoing resilience, infecting industrial IoT systems for potential DDoS amplification.

Variants and Ongoing Threats

Major Derivatives

Satori, detected in December 2017, represents one of the earliest and most aggressive derivatives of Mirai, leveraging the leaked to exploit zero-day remote code execution vulnerabilities in HG532 routers via CVE-2017-17215, which allowed unauthenticated attackers to execute arbitrary commands over protocol. Unlike original Mirai's reliance on default credentials, prioritized vulnerability exploitation for propagation, rapidly amassing over 280,000 bots within days of activation, primarily for DDoS campaigns targeting UDP reflection and amplification. Its code base closely mirrored Mirai's loader, scanner, and C2 modules but introduced hardcoded exploit chains and reduced credential brute-forcing, reflecting adaptations for efficiency against patched devices. Okiru, emerging around October 2017, extended Mirai's architecture to target ARC processors prevalent in routers and set-top boxes, incorporating exploits for SDK vulnerabilities (e.g., CVE-2017-18368) and NetUSB components to bypass and inject payloads. This variant enhanced scanning modules to probe for open ports like 52869 and integrated new infection vectors, such as command injection in HTTP requests, enabling compromise of over 800,000 vulnerable devices globally by early 2018. Okiru's C2 communication retained Mirai's Telnet-based protocol but added proxying capabilities, allowing infected devices to serve as anonymized relays for further attacks. Subsequent derivatives like OMG, a 2018 offshoot of Okiru, repurposed infected IoT devices as SOCKS5 proxies rather than solely for DDoS, scanning for vulnerabilities in , , and routers while embedding persistence via modified . This shift demonstrated how Mirai forks evolved beyond raw scale toward versatile toolkits, with OMG's code including anti-analysis techniques like string obfuscation absent in the original. Gafgyt forks, often intertwined with Mirai derivatives due to shared codebase origins, incorporated additional DDoS modules such as HTTP Flood and Slowloris by 2021, targeting Linux-based servers alongside IoT hardware. These adaptations underscore the proliferation enabled by Mirai's open-source release, with variants collectively infecting millions of devices and sustaining DDoS traffic exceeding 1 Tbps in multiple incidents.

Recent Evolutions (2017–2025)

Following the public release of Mirai's source code in late 2016, numerous derivatives proliferated in 2017, adapting the original framework to exploit emerging vulnerabilities and expand target devices while maintaining self-propagation via weak credentials and hardcoded exploits. Satori, one of the earliest variants, emerged in December 2017 and targeted Huawei HG532 and AR1200 routers through a zero-day remote code execution flaw (CVE-2017-17215), infecting over 500,000 devices in hours without dictionary attacks, demonstrating faster worm-like spread than original Mirai. Okiru, appearing around October 2017, marked the first Mirai derivative compiled for Synopsys ARC processors, commonly used in embedded IoT systems, by incorporating exploits for Realtek SDK and other architectures to broaden infection vectors beyond MIPS-based devices. By 2018, variants like OMG further diversified capabilities, transforming compromised IoT devices into SOCKS5 proxy servers for anonymous traffic relay alongside DDoS functions, using enhanced scanning modules to target routers and cameras with multiple exploits. Masuta, another 2018 iteration, focused on dictionary-based attacks against routers with default or weak passwords, emphasizing through anti-analysis techniques and modular loaders. These adaptations reflected the open-source ecosystem's evolution, where attackers shared code improvements on underground forums, increasing resilience and scale despite original creators' arrests. Into the 2020s, Mirai lineages incorporated more zero-days and multi-architecture support, sustaining threats amid stagnant IoT security practices. A June 2019 variant added eight new exploits targeting Netwave IP cameras and other vendors, expanding the to unpatched . In August 2024, the Corona variant exploited a zero-day in AVTECH CCTV cameras (CVE-2024-8138) for initial foothold, then dropped Mirai payloads to propagate via brute-force, highlighting ongoing exploitation of legacy devices. Early 2025 saw intensified activity: a variant targeted AVTECH cameras and HG532 routers using known exploits like CVE-2017-17215 alongside . Another exploited a command injection flaw in Four-Faith industrial routers (CVE-2024-12856) since November 2024, enabling DDoS recruitment in contexts. These culminated in a 2025 record 5.6 Tbps DDoS attack on an ISP, orchestrated by a Mirai variant from over 13,000 IoT bots using UDP floods, underscoring persistent volumetric potency. Analyses through mid-2025 indicate Mirai's has spawned over 100 documented variants, with scanning patterns evolving to prioritize high-yield exploits over brute-force, infecting millions of devices annually due to unpatched IoT ecosystems and supply-chain delays in updates. Despite mitigation efforts like improved default credential policies, the malware's modular design and underground proliferation ensure ongoing adaptability, often evading detection via obfuscated C2 communications and rapid variant redeployment.

Identification and Arrests

The creators of the Mirai botnet malware were identified through a combination of forensic analysis by security researchers and federal investigations tracing operational artifacts back to their online activities. Paras Jha, a 21-year-old from Fanwood, New Jersey, operated under the pseudonym "Anna-senpai" and released the Mirai source code on the HackForums website in October 2016, providing key evidence of authorship via embedded comments, code style, and forum posts boasting about its capabilities. Jha's involvement was further linked through earlier DDoS attacks, including those on Rutgers University in 2014–2015, where he deployed precursor tools and profited from DDoS-for-hire services. Co-authors Josiah White, 20, from Washington state, and Andrew Boggs, 20, from Pittsburgh, Pennsylvania, were identified via collaborative coding contributions evident in the leaked codebase and shared infrastructure logs from botnet operations. The FBI's investigation, led by agents in due to jurisdictional ties to affected networks, utilized on seized servers, IP traces from DDoS incidents, and undercover monitoring of underground forums to corroborate identities. This effort culminated in charges announced by the U.S. Department of Justice on , 2017, with all three individuals pleading guilty to to violate the for developing and deploying Mirai to infect over 100,000 IoT devices and launch attacks peaking at 1.2 terabits per second. No formal arrests were publicly detailed as physical custody events, as the pleas followed voluntary cooperation and prior seizures of equipment; however, Jha faced additional scrutiny for standalone charges related to Rutgers disruptions. The identifications relied on high-confidence digital footprints rather than informant tips, underscoring the traceability of open-source releases in hacker communities.

Sentencing Outcomes and Cooperation

In December 2017, three individuals—Paras Jha, Josiah White, and Aaron Hutchins—pleaded guilty in the U.S. District Court for the District of to one count of to cause damage to protected computers, admitting their roles in developing and deploying the Mirai for DDoS attacks that disrupted services in 2016. On September 18, 2018, U.S. District Judge Timothy Burgess sentenced Jha, White, and Hutchins each to five years of probation, with no prison time imposed, citing their "substantial assistance" to federal authorities as a key under U.S. Sentencing Guidelines §5K1.1 for downward departures. The court also ordered each to pay $159,000 in restitution to victims, including infrastructure providers affected by the attacks, though enforcement of full damages exceeding $20 million was not pursued due to the defendants' limited assets and cooperative efforts. Jha faced additional penalties in a separate proceeding for deploying Mirai variants against in 2016, resulting in a October 26, 2018, sentencing by U.S. District Judge Susan D. Wigenton to six months of home incarceration, two years of supervised release, and $8.6 million in restitution to the university, reflecting the attack's estimated $8.6 million in damages from network disruptions. The leniency in the primary Mirai case stemmed from the trio's post-arrest cooperation with the FBI, including providing analysis, identifying vulnerabilities exploited by Mirai derivatives, and assisting in investigations of other cyber threats such as subsequent IoT botnets and DDoS-for-hire services. White, in particular, was directed to contribute technical expertise to training and operations, effectively transitioning from perpetrator to in disrupting ongoing campaigns. This assistance was credited with aiding takedowns of Mirai variants and related threats, though critics noted the arrangement highlighted challenges in prosecuting juvenile offenders with high technical skills who could leverage cooperation for reduced accountability.

Impacts and Analyses

Effects on IoT Ecosystem

Mirai's exploitation of default or weak credentials on IoT devices, primarily via on ports 23 and 2323, exposed the systemic insecurity embedded in the design of many connected endpoints, such as IP cameras, digital video recorders (DVRs), routers, and printers. By scanning the for vulnerable targets and brute-forcing a list of approximately 62 common username-password pairs, the malware rapidly infected hundreds of thousands of devices, peaking at over 600,000 infections in late 2016. This demonstrated how manufacturers' prioritization of ease of deployment over robust authentication left the IoT ecosystem inherently susceptible to mass compromise, turning everyday consumer hardware into unwitting participants in large-scale disruptions. The botnet's operations compromised the integrity and availability of infected devices, often rendering them unresponsive to legitimate users while enabling for distributed denial-of-service (DDoS) attacks that reached intensities exceeding 1 Tbps. Beyond direct service interruptions, such as outages affecting 900,000 customers in November 2016 due to router exploits, Mirai highlighted privacy risks in surveillance-focused IoT hardware, where infected cameras could theoretically facilitate unauthorized surveillance or , though its primary focused on DDoS amplification. This eroded user confidence in the reliability of IoT networks, as compromised devices persisted in homes and businesses without easy detection or remediation, given the lack of user-facing update mechanisms. In the long term, the public release of Mirai's in November 2016 catalyzed a proliferation of variants, including Gafgyt, Moobot, and Echobot, which continue to target IoT devices through evolving tactics like exploiting new vulnerabilities (e.g., CVE-2018-4068) and incorporating features such as SOCKS5 proxies. These derivatives have sustained threats into the , with botnet operators selling access on underground markets and adapting to the projected expansion of the IoT ecosystem to 30.9 billion devices by 2025, amplifying the for DDoS, data theft, and potential intrusions into critical systems like smartwatches or medical devices. While Mirai underscored the need for updates and stronger defaults, the persistence of unpatched, long-lived IoT hardware—often neglected by users and manufacturers—has limited systemic reforms, allowing Mirai-inspired to remain a dominant vector in IoT compromises.

Security Reforms and Failures

The Mirai malware exploited fundamental security shortcomings in (IoT) devices, primarily weak or default credentials that allowed unauthorized access via or SSH protocols. Devices such as routers, cameras, and recorders often shipped with hardcoded usernames like "root" or "admin" paired with easily guessable or absent passwords, enabling Mirai's scanning mechanism to infect hundreds of thousands of devices rapidly. Lack of update mechanisms and insufficient further amplified vulnerabilities, as infected devices remained online without owner intervention or awareness. In response to Mirai's 2016 attacks, legislative efforts emerged to mandate baseline IoT security practices. The U.S. IoT Cybersecurity Improvement Act of 2020 required the National Institute of Standards and Technology (NIST) to establish guidelines for federal agencies procuring IoT devices, emphasizing unique default credentials, vulnerability disclosure, and secure update processes. State-level measures, such as California's Senate Bill 327 enacted in 2018, compelled manufacturers to equip connected devices with "reasonable" security features, including changeable defaults and data encryption, affecting an estimated 500 million devices annually. Industry initiatives followed, with organizations like the promoting voluntary certification programs for secure-by-design IoT ecosystems. However, implementation failures have undermined these reforms, as persistent vulnerabilities mirror those exploited by original Mirai strains. Many manufacturers continue deploying devices with predictable credentials or unpatched flaws due to cost pressures and fragmented global supply chains, allowing Mirai derivatives to infect via exploits like CVE-2020-5902 in routers as late as 2020. By 2023–2025, variants leveraged multiple IoT exploits for botnet propagation, with command injection flaws in devices like GeoVision cameras (CVE-2024-6047) demonstrating ongoing neglect of secure coding and timely patching. Enforcement gaps, including limited consumer awareness and regulatory scope confined to or specific markets, have sustained these risks, evidenced by CISA warnings on evolving threats.

Debates on Causality and Responsibility

The massive scale of Mirai's , which peaked at infecting hundreds of thousands of IoT devices and enabling DDoS attacks exceeding 600 Gbps, has sparked debate over primary , with analysts attributing the rapid proliferation primarily to systemic vulnerabilities in IoT hardware rather than the malware's novelty. Mirai propagated by scanning the for devices using one of 68 hardcoded factory-default username-password combinations, such as "ubnt/ubnt" on gear, exploiting devices like network cameras from Foscam and DVRs that manufacturers shipped without mandatory unique credentials or robust update mechanisms. researchers argue that without this widespread failure to implement basic protections—like enforcing password changes during setup—the could not have achieved , as evidenced by post-infection reinfection rates remaining high even after device reboots unless owners intervened manually. A pivotal event amplifying debates was the public release of Mirai's on October 1, 2016, by its pseudonymous author "Anna-senpai" (later identified as Paras Jha), who claimed the leak stemmed from intensifying scrutiny on DDoS-for-hire operations and a desire to disrupt competitors in the underground "stresser" market. This dissemination democratized the , spawning variants that powered subsequent attacks, including the October 21, 2016, assault on DNS provider Dyn using fewer than 100,000 devices to disrupt access to over 175,000 websites. Critics contend the release shifted from isolated actors to a broader , as the open lowered barriers for script kiddies and foreign groups to replicate and evolve Mirai, exacerbating threats amid an estimated 6.4 billion connected devices in 2016 lacking inherent defenses. Responsibility debates center on apportioning fault between Mirai's teenage creators—Josiah White, Paras Jha, and Dalton Norman—who developed it for profit via DDoS services targeting gaming servers and rivals, and the IoT industry for enabling exploitation through cost-driven design choices. The hackers, motivated by thrill, peer respect, and revenue from "booter" services, faced legal accountability, pleading guilty in 2017 and receiving sentences including and restitution without prison time after cooperating with the FBI to dismantle related networks. However, experts and commentators emphasize manufacturers' outsized role, criticizing firms for prioritizing affordability over —such as hardcoding credentials to simplify production—prompting some like and to adopt unique password mandates post-Mirai. Users share secondary blame for neglecting updates or defaults, but causal analysis underscores that without industry-wide lapses, the malware's authors lacked the fertile ground for deployment, framing the incidents as a collective failure in supply-chain rather than solely individual malice.

References

  1. https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
  2. https://www.radware.com/security/ddos-knowledge-center/ddospedia/mirai/
  3. https://www.checkpoint.com/cyber-hub/network-security/what-is-iot/iot-botnet/mirai-botnet-malware/
  4. https://blog.cloudflare.com/inside-mirai-the-infamous-iot-botnet-a-retrospective-analysis/
  5. https://www.radware.com/blog/security/insight-into-mirais-source-code/
  6. https://www.cisa.gov/news-events/alerts/2016/10/14/heightened-ddos-threat-posed-mirai-and-other-botnets
  7. https://www.arxiv.org/pdf/2508.01909
  8. https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
  9. https://www.imperva.com/blog/malware-analysis-mirai-ddos-botnet/
  10. https://heimdalsecurity.com/blog/mirai-botnet-phenomenon/
  11. https://www.radware.com/blog/[security](/page/Security)/insight-into-mirais-source-code/
  12. https://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
  13. https://www.csoonline.com/article/558215/here-are-the-61-passwords-that-powered-the-mirai-iot-botnet.html
  14. https://www.cyber.nj.gov/threat-landscape/malware/botnets/mirai
  15. https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/
  16. https://krebsonsecurity.com/2017/12/mirai-iot-botnet-co-authors-plead-guilty/
  17. https://www.justice.gov/archives/opa/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases-involving
  18. https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/
  19. https://www.redalertlabs.com/blog/mirai-s-aftermath-a-study-by-red-alert-labs-part-i
  20. https://spectrum.ieee.org/mirai-botnet
  21. https://www.wired.com/story/mirai-botnet-minecraft-scam-brought-down-the-internet/
  22. https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
  23. https://krebsonsecurity.com/2016/10/ddos-on-dyn-impacts-twitter-spotify-reddit/
  24. https://flashpoint.io/blog/action-analysis-mirai-botnet-attacks-dyn/
  25. https://www.netscout.com/blog/asert/omg-mirai-minions-are-wicked
  26. https://www.radware.com/security/ddos-threats-attacks/threat-advisories-attack-reports/satori-iot-botnet/
  27. https://krebsonsecurity.com/2018/09/alleged-satori-iot-botnet-operator-sought-media-spotlight-got-indicted/
  28. https://www.bankinfosecurity.com/satori-botnet-co-creator-sentenced-a-14510
  29. https://thehackernews.com/2018/01/mirai-okiru-arc-botnet.html
  30. https://www.techtarget.com/searchsecurity/answer/Okiru-malware-How-does-this-Mirai-malware-variant-work
  31. https://www.fortinet.com/blog/threat-research/iot-botnet-more-targets-in-okirus-cross-hairs
  32. https://www.netscout.com/blog/mirais-botnet-tsunami
  33. https://unit42.paloaltonetworks.com/satori-mirai-botnet-variant-targeting-vantage-velocity-field-unit-rce-vulnerability/
  34. https://www.bleepingcomputer.com/news/security/satori-botnet-has-sudden-awakening-with-over-280-000-active-bots/
  35. https://unit42.paloaltonetworks.com/unit42-iot-malware-evolves-harvest-bots-exploiting-zero-day-home-router-vulnerability/
  36. https://www.fortinet.com/blog/threat-research/satori-adds-known-exploit-chain-to-slave-wireless-ip-cameras
  37. https://www.fortinet.com/blog/threat-research/omg--mirai-based-bot-turns-iot-devices-into-proxy-servers
  38. https://cujo.com/blog/mirai-gafgyt-with-new-ddos-modules-discovered/
  39. https://unit42.paloaltonetworks.com/unit42-finds-new-mirai-gafgyt-iotlinux-botnet-campaigns/
  40. https://thehackernews.com/2017/12/satori-mirai-iot-botnet.html
  41. https://digital.nhs.uk/cyber-alerts/2017/cc-1846
  42. https://digital.nhs.uk/cyber-alerts/2018/cc-2095
  43. https://malpedia.caad.fkie.fraunhofer.de/details/elf.masuta
  44. https://cdp.cooley.com/the-evolution-of-mirai-botnet-source-code-presents-increased-risk-of-large-scale-ddos-attacks/
  45. https://unit42.paloaltonetworks.com/new-mirai-variant-adds-8-new-exploits-targets-additional-iot-devices/
  46. https://www.akamai.com/blog/security-research/corona-mirai-botnet-infects-zero-day-sirt
  47. https://www.infosecurity-magazine.com/news/mirai-variant-targets-cameras/
  48. https://thehackernews.com/2025/01/mirai-botnet-variant-exploits-four.html
  49. https://cyberscoop.com/cloudflare-biggest-ddos-attack-mirai-variant-botnet/
  50. https://www.sciencedirect.com/science/article/pii/S2214212623002132
  51. https://www.justice.gov/usao-nj/pr/computer-hacker-who-launched-attacks-rutgers-university-ordered-pay-86m-restitution
  52. https://krebsonsecurity.com/2018/09/mirai-botnet-authors-avoid-jail-time/
  53. https://www.bbc.com/news/technology-42342221
  54. https://www.wired.com/story/mirai-botnet-creators-fbi-sentencing/
  55. https://www.scworld.com/news/mirai-creators-sentenced-to-probation-after-assisting-fbi-with-cyber-investigations
  56. https://www.theregister.com/2018/09/20/makers_of_mirai_free/
  57. https://www.reuters.com/article/world/us/mirai-botnet-hacker-ordered-to-pay-86-million-in-damages-idUSKCN1N02VX/
  58. https://www.govtech.com/public-safety/Internet-Saboteur-Forced-to-Work-for-FBI.html
  59. https://www.welivesecurity.com/2018/09/20/mirais-architects-avoid-prison-thanks-work-fbi/
  60. https://research.google.com/pubs/archive/46301.pdf
  61. https://www.wired.com/2016/12/botnet-broke-internet-isnt-going-away/
  62. https://www.intel471.com/blog/iot-cybersecurity-threats-mirai-botnet
  63. https://www.cisecurity.org/insights/blog/the-mirai-botnet-threats-and-mitigations
  64. https://www.gibsondunn.com/new-federal-law-for-iot-cybersecurity-requires-the-development-of-standards-and-guidelines-throughout-2021/
  65. https://www.securityindustry.org/2023/12/13/guest-post-cybersecurity-incidents-lead-to-new-standards-requirements/
  66. https://www.darkreading.com/iot/new-iot-security-bill-third-time-s-the-charm-
  67. https://www.atlanticcouncil.org/in-depth-research-reports/report/security-in-the-billions/
  68. https://www.trendmicro.com/en_us/research/20/g/mirai-botnet-attack-iot-devices-via-cve-2020-5902.html
  69. https://www.fortinet.com/resources/cyberglossary/iot-device-vulnerabilities
  70. https://www.akamai.com/blog/security-research/active-exploitation-mirai-geovision-iot-botnet
  71. https://unit42.paloaltonetworks.com/mirai-variant-targets-iot-exploits/
  72. https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/
Add your contribution
Related Hubs
User Avatar
No comments yet.