Industry Trends

IoT-based Linux/Mirai: Frequently Asked Questions

By Axelle Apvrille | October 31, 2016

Ever since the Mirai DDoS attack was launched a few weeks ago, we have received a number of questions that I will try to answer here. If you have more follow-up questions, please let me know!

Who is the Author of Mirai?

The presumed developer goes under the pseudonym of 'Anna Senpai' on Hackforums - an English-speaking hacker forum.

His/her account on the forum is recent (July 2016). and was probably created when he/she started working on Mirai. For example:

The account does not reveal any personal data, apart from that Anna Senpei poses as a clever person, well informed on cybercriminality.

His/her (actually, I'd vote for "he,” but that's a personal guess!) country of origin is unknown. The only possible hints are the following - but they could all be false leads:

  • Hack forum is an English speaking forum.
  • Mirai means 'Future' in Japanese and in Chinese.
  • Source code has references to Russian (could be copy/pasted)
  • His/her skype login indicates he/she lives in Australia.

Finally, note that "Anna Senpai" is very probably the developer of Mirai, but may not have been involved in all of the DoS attacks attributed to Mirai. Indeed, as the source code was publicly released on Sept 30, 2016, other individuals or cybercriminal groups may have downloaded and used it. Some will say this strategy is quite shrewd to complicate attribution. ;) On a positive note, inspection of the source code makes the malware easier to understand and detect. It may be viewed on several github repositories: herehere and here.

Who is Behind the Attacks?

The most recent attack on Dyn was claimed by a group known as New World Hackers in retaliation for Ecuador's rescinding Internet access to WikiLeaks founder Julian Assange, who has been granted asylum at their embassy in London. Two members of this group said they did it to "test power.” So far, this claim hasn't been backed up by other data.

For other attacks: see the first question. Attribution is more difficult because the source code is now public.

Is the Malware Advanced?

The source code does not implement any particular "exploit" and is therefore relatively easy to write. It is, however, quite well written, and the implementation of all types of floods requires some network programming knowledge.

Anyway, contrary to general belief, a malware need not be "advanced" to be efficient: the KISS principle (Keep It Simple, Stupid) works very well for malware...

List of Attacks Attributed to Linux/Mirai





Oct 21, 2016


1.2 Tbps?

Some of the attacks were coming from hosts infected with Mirai. Impacted Twitter, Amazon, Tumblr, Reddit, Spotify and Netflix. New World Hackergroup claimed responsibility. Size of botnet: 100,000.

Sept 22, 2016


1 Tbps

145,607 cameras and DVRs

Sept 13, 2016

620 Gbps

More info from host Akamai

Aug 17, 2016


280 Gbps

Size of the botnet: 49,657 unique IPs. Most from CCTV cameras, DVRs and routers.

What is the Relationship of Mirai With Kaiten, Gafgyt, Bashlite etc?

















Gayfgt, Bashlite


KTN-Remastered, KTN-RM



Propagation via IP scanning


Telnet (23)

On port 10073 or 23

SSH (22)

Telnet (23)


Password brute force



Yes, list provided by C&C




Implemented attacks

HTTP Flood

Send emails, UDP and TCP packets

DNS Hijacking


Various UDP, TCP floods

UDP, TCP, DNS, GRE floods

Kills competing processes (e.g other malware)







Botnet communication channel



Port 10073



Ports 23 and 101

After infection

FTP access



Transfers a downloader matching the infected device's architecture



Targeted devices

Infected Linux Mint ISO in 2016

Router, cameras

Linux based system, in particular, consumer routers

India, in particular ,Ubiquiti Air OS router

Linux-based systems

CCTV, DVR, router



DoS ?

Capture unencrypted cookies on social networks and perform illegitimate follows or likes




Notable keywords in the code







Largest botnet






140,000 (max. approx 300,000 according to Anna Senpai)

Note. This table might be incomplete. Also please report any errors.

How do we Know Linux/Mirai infects IoT?

We deduce this from two different points:

  1. The source code of Mirai tries to use a tool named dvrHelper, which is assumed to be found on Digital Video Recorders.
  2. In many cases, the list of credentials the malware brute forces is specific to some devices. For example, credentials root/vizxv is not particularly common, but it happens to match the default password for Dahua DVR-3104H. So we can reasonably assume the malware is trying to hack this device, among others.

Can Linux/Mirai Infect Non-IoT Devices?

Yes, it can. Mirai targets Unix systems using busybox whether they are IoT or not.

In Mirai, the part that is specific to IoT is the list of telnet credentials it tries to brute force. Some of those default credentials are specific to a given brand and model of IoT, and thus show Mirai targets it. On the other hand, however, some default credentials, such as admin/123456, are generic and would certainly apply to non-IoT hosts as well.

Most of the problem originates from using default passwords. Why can't the owners change them?

On several of those IoT devices, the password is hardcoded in the firmware, and the tools to change it are not provided.

How do we know a given DDoS comes from devices infected with Linux/Mirai and not from another malware?

Given the situation, there are several ways to check that the attack specifically comes from Mirai:

  1. Identify the type of flood performed, and based on this, deduce the name of the malware. For example, so far only Linux/Mirai implements GRE floods. So if that's what we see, it's probably a Linux/Mirai attack (or possibly a yet unknown malware...).
  2. Identify the attacking devices, and based on their brand, deduce if it is Linux/Mirai or some other malware.
  3. Inspect DNS packets: Mirai prefixes its DNS DoS with a pseudorandom 12-character subdomain.
  4. Capture some traffic from infected devices, and depending on command channels and ports, deduce the name of the malware. However, this is usually not easy to do from the network that is being DDoSed.

Do Fortinet Products Protect Against Linux/Mirai?

Yes, of course! Fortiguard researchers have developed both AV and IPS signatures to detect Mirai. It is reported as "Linux/Mirai.A!tr" at the AV level, and as "Mirai.Botnet" at the IPS level.

Some advice:

  • Be sure to put your device on a network secured by Fortinet products.
  • Reboot the device (this kills Mirai).
  • Check open ports for your device, and if possible close those you do not use.
  • Modify the default credentials!

Thanks to David Maciejak for his review and inputs.

-- the Crypto Girl