Skip to content
MalwareWiki

Botnet / Worm

Mirai

aka Mirai botnet · Katana · Mirai variants

A self-propagating IoT botnet that hijacks Linux-based devices using default credentials, powering some of the largest DDoS attacks ever recorded.

Mirai is an IoT botnet first observed in August 2016. It scans the internet for devices — routers, IP cameras, DVRs — exposed over Telnet, then logs in using a built-in table of default credentials. Compromised devices join a botnet used primarily for distributed denial-of-service (DDoS) attacks.

Record-breaking attacks

  • September 2016 — A ~620 Gbps attack against security journalist Brian Krebs.
  • October 2016 — The attack on DNS provider Dyn disrupted Twitter, Reddit, Netflix and others across the US.

These incidents are profiled on Cyber Breaches.

Open-source legacy

After the original author published the source code in late 2016, Mirai fragmented into hundreds of variants (Okiru, Satori, Masuta, Katana…). The public source makes it a popular teaching sample — a guided code read lives on the Reverse Engineering Hub.

Defense

Change default device credentials, disable Telnet/SSH exposure to the internet, and segment IoT devices. Network detection focuses on Telnet brute forcing and the distinctive scanning behaviour.