Malware analysis

Malware spotlight: Mirai

January 8, 2020 by Greg Belding


If you ask any number of information security experts about emerging platforms you will hear many answers, but the Internet of Things, or IoT, will be one of the top responses. Attackers are well aware of this and have taken a page from conventional hacking to introduce a new kind of malware that bears similarities to botnet attacks but applied to the world of IoT. 

This malware is called Mirai and it takes advantage of the unique vulnerabilities of IoT to create a network of proxy computers, able to take down targets as small as an individual’s webcam or as large as an entire country’s internet. 

This article will detail what Mirai is and will explore how it works, some real-world examples of this malware, and what can be done to minimize the chances of Mirai impacting your IoT devices.

What is Mirai?

Mirai is a malware that was created by Protraf, a company offering distributed denial-of-service (DDoS) mitigation services, in what has been called a classic case of racketeering. Protraf co-founders Paras Jha, Josiah White and Dalton Norman were responsible for infecting potential clients with Mirai, after which Protraf would arrive like a white knight and offer their services to the victims.

This malware enslaves IoT devices, including webcams, security cameras, digital video recorders, baby monitors, network routers, vehicles and other smart devices, turning them into an army of malicious zombie devices. The results can be devastating, even more so than traditional botnet attacks; coupled with the other unique characteristics of Mirai, it is clear to see that it stands apart as a new type of malware altogether. 

As more and more devices make the move to the realm of smart devices as experts predict, Mirai will become an even bigger threat.

Soon after Mirai first surfaced in August of 2016, the FBI began questioning Protraf’s co-founders about the malware. While they were eventually convicted and sentenced, the proverbial Pandora’s box had already been opened when the co-founders made the Mirai source code available online. Other attackers began creating Mirai copycats, causing extended collateral damage.

How does Mirai work?

Mirai takes advantage of the biggest underlying vulnerability of IoT devices — poor security. IoT devices traditionally have poor security because there is no interruption of service or cost associated with security breaches. This lack of incentive extends to end users, who tend to rely upon default username and password combinations as the only security measure. 

IoT devices are renown for having poor security, and antivirus solutions for these devices are still not widely used. Mirai has a feature that can disable antivirus, which accounts for the more security-minded of targeted IoT devices. 

Mirai’s targets

Mirai works by scanning the web for IoT devices running on the ARC processor. This offers easy pickings for Mirai because the stripped-down Linux version that ARC runs is where the login credentials are stored and indicates to attackers the high probability that default login credentials are used for the IoT device.

Since its inception in 2016, Mirai has undergone several mutations, allowing it to focus on particular smart devices that may be immune to Mirai’s original attack strategy. The latest of the Mirai mutations contains 18 new exploits focusing on specific products such as Belkin’s Wemo devices and LG Supersign smart TVs.

Mirai’s structure

The original version of Mirai was composed of two main components — the malware file and the command-and-control server (C2). This malware was designed to work with several different CPU architectures most used by IoT devices, including:

  • x86
  • Sparc
  • ARM
  • Motorola
  • PowerPC

After Mirai establishes a foothold on a device, it tries up to 60 different default login credentials that manufacturers are known to load IoT devices with. Once the infection has taken hold, Mirai uses several techniques to evade detection and obscure reverse-engineering attempts. When the malware is loaded into memory, it deletes itself from the compromised system’s disk. Before long, the compromised devices is an unwitting slave to attackers.

Real-world example

Since its discovery, Mirai has been responsible for enslaving hundreds of thousands of devices. This is no doubt due to Mirai variants based on the Mirai source code released in 2016. 

One of the most important instances of a Mirai cyberattack was in 2016, when it was used to seriously disrupt internet in the African country of Liberia. Attacker Daniel Kaye was arrested for his role in this attack and a UK court ended up sentencing him to two years in prison.

How to defend against Mirai

Defending against Mirai is complicated by the fact that sometimes the user has no control over device security, which is configured in the factory. 

For those that have access to security configuration, changing all default passwords is the best defense to this malware. Most of the other ways to defend against Mirai stem from having solid information security policies in place within an organization. Examples of these policies include ensuring that all organization IoT device interactions are authenticated and encrypted and restricting public internet access to IoT devices.


Mirai is an IoT malware that can turn devices into zombies, similar to a botnet. This malware infects IoT devices by using default login passwords to bypass the miniscule security that comes default out of the factory for most smart devices. The end result can be debilitating, as was experience in Liberia in 2016. 

However, by changing default IoT device passwords and implementing reasonable IoT information security policies, Mirai can be handily prevented.



  1. I Can’t Believe Mirais: Tracking the Infamous IoT Malware, SecurityIntelligence
  2. What is the Mirai Botnet?, CloudFlare
  3. Latest Mirai Malware Variant Contains 18 Exploits, Focuses on Embedded IoT Devices, SecurityIntelligence
  4. 2 Years for Hacker Who Crippled Liberia’s Internet with Mirai Botnet, PC Mag
Posted: January 8, 2020
Greg Belding
View Profile

Greg is a Veteran IT Professional working in the Healthcare field. He enjoys Information Security, creating Information Defensive Strategy, and writing – both as a Cybersecurity Blogger as well as for fun.