Mirai

Mirai is an IoT-targeting botnet malware family that brute-forces networked devices via default credentials or exploits, then installs a lightweight agent that accepts C2 commands to launch DDoS attacks. First observed in August 2016, it has spawned many forks and variants (Satori, Okiru, etc.).

Capabilities

• credential-brute-force-telnet-ssh — brute-forces default credentials on TCP/23 and TCP/22.
• arm-mips-x86-cross-compiled-dropper — distributed as statically linked ELF binaries for multiple architectures.
• http-post-c2-beacon — phones home via HTTP POST to /api/upload or similar endpoints.
• raw-socket-ddos-flooder — constructs raw IP packets for TCP SYN flood, UDP flood, GRE flood, and HTTP abuse attacks.
• dropbear-impersonation — installs fake or modified Dropbear SSH daemon to maintain backdoor access and prevent reinfection.
• tmpfs-ram-resident — typically runs from /tmp/ or /dev/shm/ with no persistent disk write.
• singleton-lock-file — uses .lock files (/tmp/.dropbear.lock, /var/run/.dropbear.lock) to prevent multiple instances.
• thread-pool-spawn — spawns large thread pools (up to 24+ threads) per attack module for throughput.
• self-update-via-temp-file — writes updated payload to /tmp/.dropbear_upd.XXXXXX before replacing the running binary.
• anti-analysis-minimal — relies on stripping and static linking; no debugger checks or VM detection.

Notable Variants

• Original Mirai (2016): source code leaked, leading to dozens of forks.
• Satori: added exploits (SOAP/UDP, Huawei routers).
• Okiru: targets ARC-based IoT devices.
• This sample (ebceb9dbc06f) is an ARM32 variant with nova.podril1ak2.online C2 and raw-socket flood modules.

References

• ebceb9dbc06f — ARMv5LE dropper with Dropbear impersonation, HTTP POST C2, and raw-socket DDoS modules.