Mirai (malware)

{{Cleanup section|reason=Information on Mirai successors is somewhat cluttered and could be moved to its own section|date=August 2024}}

Devices infected by Mirai continuously scan the internet for the IP address of Internet of things (IoT) devices. Mirai includes a table of IP address ranges that it will not infect, including private networks and addresses allocated to the United States Postal Service and Department of Defense.{{cite web | url=https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html | title=Breaking Down Mirai: An IoT DDoS Botnet Analysis | publisher=Incapsula | date=October 10, 2016 | access-date=20 October 2016 | author=Zeifman, Igal | author2=Bekerman, Dima | author3=Herzberg, Ben | archive-url=https://web.archive.org/web/20161021075900/https://www.incapsula.com/blog/malware-analysis-mirai-ddos-botnet.html | archive-date=21 October 2016 | url-status=live }}

Mirai then identifies vulnerable IoT devices using a table of more than 60 common factory default usernames and passwords, and logs into them to infect them.{{cite web | url=https://securityintelligence.com/news/leaked-mirai-malware-boosts-iot-insecurity-threat-level/ | title=Leaked Mirai Malware Boosts IoT Insecurity Threat Level | publisher=securityintelligence.com | date=October 4, 2016 | access-date=20 October 2016 | author=Bonderud, Douglas | archive-url=https://web.archive.org/web/20161021003956/https://securityintelligence.com/news/leaked-mirai-malware-boosts-iot-insecurity-threat-level/ | archive-date=21 October 2016 | url-status=dead }}{{cite web | url=https://www.zdnet.com/article/mirai-ddos-botnet-powers-up-infects-sierra-wireless-gateways/ | title=Mirai DDoS botnet powers up, infects Sierra Wireless gateways | publisher=ZDNet | date=October 17, 2016 | access-date=20 October 2016 | author=Osborne, Charlie | archive-url=https://web.archive.org/web/20161020045727/http://www.zdnet.com/article/mirai-ddos-botnet-powers-up-infects-sierra-wireless-gateways/ | archive-date=20 October 2016 | url-status=live }} Infected devices will continue to function normally, except for occasional sluggishness, and an increased use of bandwidth. A device remains infected until it is rebooted, which may involve simply turning the device off and after a short wait turning it back on. After a reboot, unless the login password is changed immediately, the device will be reinfected within minutes.{{cite web | url=https://www.webroot.com/blog/2016/10/10/source-code-mirai-iot-malware-released/ | title=Source Code for Mirai IoT Malware Released | publisher=Webroot | date=October 10, 2016 | access-date=20 October 2016 | author=Moffitt, Tyler | archive-url=https://web.archive.org/web/20161021064505/https://www.webroot.com/blog/2016/10/10/source-code-mirai-iot-malware-released/ | archive-date=21 October 2016 | url-status=live }} Upon infection Mirai will identify any "competing" malware, remove it from memory, and block remote administration ports.{{cite web | url=https://servercomparator.com/vpn/blog/dyn-mirai-ddos-complete-story | title=DDoS on Dyn The Complete Story | publisher=ServerComparator | date=October 28, 2016 | access-date=21 November 2016 | author=Xander | url-status=dead | archive-url=https://web.archive.org/web/20161121175123/https://servercomparator.com/vpn/blog/dyn-mirai-ddos-complete-story | archive-date=21 November 2016 }}

Victim IoT devices are identified by “first entering a rapid scanning phase where it asynchronously and “statelessly” sent TCP SYN probes to pseudo-random IPv4 addresses, excluding those in a hard-coded IP blacklist, on telnet TCP ports 23 and 2323”.Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017) (2017) If an IoT device responds to the probe, the attack then enters into a brute-force login phase. During this phase, the attacker tries to establish a telnet connection using predetermined username and password pairs from a list of credentials. Most of these logins are default usernames and passwords from the IoT vendor. If the IoT device allows the Telnet access, the victim's IP, along with the successfully used credential is sent to a collection server.

There are a large number of IoT devices which use default settings, making them vulnerable to infection. Once infected, the device will monitor a command and control server which indicates the target of an attack. The reason for the use of the large number of IoT devices is to bypass some anti-DoS software which monitors the IP address of incoming requests and filters or sets up a block if it identifies an abnormal traffic pattern, for example, if too many requests come from a particular IP address. Other reasons include to be able to marshall more bandwidth than the perpetrator can assemble alone, and to avoid being traced.

Mirai as an Internet of things (IoT) devices threat has not been stopped after the arrest of the actors.{{Citation needed|date=April 2018}} Some{{Who|date=August 2024}} believe that other actors are utilizing the source code on GitHub to evolve Mirai into new variants. They{{Who|date=August 2024}} speculate that the goal is to expand its botnet node to many more IoT devices. The detail of the recent progress of these variants is listed in the following paragraphs.

On 12 December 2017, researchers identified a variant of Mirai exploiting a zero-day flaw in Huawei HG532 routers to accelerate Mirai botnets infection,{{cite web | url=https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time/ | title=100,000-strong botnet built on router 0-day could strike at any time | publisher=Ars Technica | date=December 12, 2017 | access-date=February 4, 2018 | author=Dan Goodin | archive-url=https://web.archive.org/web/20180207005238/https://arstechnica.com/information-technology/2017/12/100000-strong-botnet-built-on-router-0-day-could-strike-at-any-time/ | archive-date=February 7, 2018 | url-status=live }} implementing two known SOAP related exploits on routers web interface, CVE-2014–8361 and CVE-2017–17215. This Mirai version is called "Satori".

On 14 January 2018, a new variant of Mirai dubbed “Okiru”, the Japanese word for "get up," already targeting popular embedded processor like ARM, MIPS, x86, PowerPC{{cite web|title=IoT Botnet: More Targets in Okiru's Cross-hairs|url=https://www.fortinet.com/blog/threat-research/iot-botnet-more-targets-in-okirus-cross-hairs.html|website=Fortinet|date=25 January 2018 |access-date=18 April 2018|archive-url=https://web.archive.org/web/20180723122812/https://www.fortinet.com/blog/threat-research/iot-botnet-more-targets-in-okirus-cross-hairs.html|archive-date=23 July 2018|url-status=live}} and others was found targeting ARC processors based Linux devices{{cite web|url=https://www.theregister.co.uk/2018/01/16/arc_iot_botnet_malware/|title=New Mirai botnet species 'Okiru' hunts for ARC-based kit|author=Leyden, John|date=January 16, 2016|publisher=www.theregister.co.uk|access-date=February 4, 2016|archive-url=https://web.archive.org/web/20180116161657/https://www.theregister.co.uk/2018/01/16/arc_iot_botnet_malware/|archive-date=January 16, 2018|url-status=live}} for the first time. Argonaut RISC Core processor (shorted: ARC processors) is the second-most-popular embedded 32 bit processor, shipped in more than 1.5 billion products per year, including desktop computers, servers, radio, cameras, mobile, utility meters, televisions, flash drives, automotive, networking devices (smart hubs, TV modems, routers, wifi) and Internet of Things. Only a relatively small number of ARC-based devices run Linux and are therefore exposed to Mirai.

On 18 January 2018, a successor of Mirai is reported to be designed to hijack cryptocurrency mining operations.{{cite web | url=http://www.computerweekly.com/news/450433414/Next-gen-Mirai-botnet-targets-cryptocurrency-mining-operations | title=Next-gen Mirai botnet targets cryptocurrency mining operations | publisher=Computer Weekly | date=January 18, 2018 | access-date=February 4, 2018 | author=Warwick Ashford | archive-url=https://web.archive.org/web/20180207005141/http://www.computerweekly.com/news/450433414/Next-gen-Mirai-botnet-targets-cryptocurrency-mining-operations | archive-date=February 7, 2018 | url-status=live }}

On 26 January 2018, two similar Mirai variant botnets were reported, the more modified version of which weaponizes EDB 38722 D-Link router's exploit to enlist further vulnerable IoT devices. The vulnerability in the router's Home Network Administration Protocol (HNAP) is utilized to craft a malicious query to exploited routers that can bypass authentication, to then cause an arbitrary remote code execution. The less modified version of Mirai is called "Masuta" (after the Japanese transliteration of "Master"), while the more modified version is called "PureMasuta".{{cite web | url=https://www.scmagazineuk.com/satori-creator-linked-with-new-mirai-variant-masuta/article/739714/ | title=Satori creator linked with new Mirai variant Masuta | publisher=SC Media UK | date=January 26, 2018 | access-date=February 4, 2018 | author=Rene Millman | archive-url=https://web.archive.org/web/20180207005039/https://www.scmagazineuk.com/satori-creator-linked-with-new-mirai-variant-masuta/article/739714/ | archive-date=February 7, 2018 | url-status=live }}

In March 2018, a new variant of Mirai, dubbed as "OMG", has emerged to surface with added configurations to target vulnerable IoT devices and turning them into proxy servers. New firewall rules that allow traffic to travel through the generated HTTP and SOCKS ports were added configurations to the Mirai code. Once these ports are open to traffic, OMG sets up 3proxy – open-source software available on a Russian website.{{cite web | url=https://www.bleepingcomputer.com/news/security/new-mirai-variant-focuses-on-turning-iot-devices-into-proxy-servers/ | title=New Mirai Variant Focuses on Turning IoT Devices into Proxy Servers | publisher=Bleeping Computer | date=February 27, 2018 | access-date=February 27, 2018 | author=Catalin Cimpanu | archive-url=https://web.archive.org/web/20180227082822/https://www.bleepingcomputer.com/news/security/new-mirai-variant-focuses-on-turning-iot-devices-into-proxy-servers/ | archive-date=February 27, 2018 | url-status=live }}

Between May and June 2018, another variant of Mirai, dubbed as "Wicked", has emerged with added configurations to target at least three additional exploits including those affecting Netgear routers and CCTV-DVRs. Wicked scans ports 8080, 8443, 80, and 81 and attempts to locate vulnerable, unpatched IoT devices running on those ports. Researchers suspect the same author created the Wicked, Sora, Owari, and Omni botnets.{{cite web | url=https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html | title=A Wicked Family of Bots | publisher=Fortinet | date=May 17, 2018 | access-date=May 17, 2018 | author=Rommel Joven and Kenny Yang | archive-url=https://web.archive.org/web/20180523095410/https://www.fortinet.com/blog/threat-research/a-wicked-family-of-bots.html | archive-date=May 23, 2018 | url-status=live }}{{cite web | url=https://threatpost.com/wicked-botnet-uses-passel-of-exploits-to-target-iot/132125/ | title=Wicked Botnet Uses Passel of Exploits to Target IoT | publisher=Threat Post | date=May 21, 2018 | access-date=May 21, 2018 | author=Tara Seals | archive-url=https://web.archive.org/web/20180521191716/https://threatpost.com/wicked-botnet-uses-passel-of-exploits-to-target-iot/132125/ | archive-date=May 21, 2018 | url-status=live }}

In early July 2018 it was reported at least thirteen versions of Mirai malware has been detected actively infecting Linux Internet of things (IoT) in the internet, and three of them were designed to target specific vulnerabilities by using exploit proof of concept, without launching brute-forcing attack to the default credential authentication.{{cite web | url=https://imgur.com/a/53f29O9 | title=Mirai mirai on the wall.. how many are you now? | publisher=Imgur | date=July 7, 2018 | access-date=July 7, 2018 | author=Malwaremustdie/Unixfreaxjp }} In the same month it was published a report of infection campaign of Mirai malware to Android devices through the Android Debug Bridge on TCP/5555, an optional feature in the Android operating system, though it was discovered that this feature appears to be enabled on some Android phones.{{cite web | url=https://isc.sans.edu/forums/diary/Worm+Mirai+Exploiting+Android+Debug+Bridge+Port+5555tcp/23856/ | title=Worm (Mirai?) Exploiting Android Debug Bridge (Port 5555/tcp) | publisher=SANS ISC InfoSec Forums | date=July 10, 2018 | access-date=July 11, 2018 | author=Johannes B. Ullrich | archive-url=https://web.archive.org/web/20180710225211/https://isc.sans.edu/forums/diary/Worm+Mirai+Exploiting+Android+Debug+Bridge+Port+5555tcp/23856/ | archive-date=July 10, 2018 | url-status=live }}

At the end of 2018, a Mirai variant dubbed "Miori" started being spread through a remote code execution vulnerability in the ThinkPHP framework, affecting versions 5.0.23 to 5.1.31. This vulnerability is continuously being abused by the further evolved Mirai variants dubbed as "Hakai" and "Yowai" in January 2019, and variant "SpeakUp" in February, 2019.{{cite web | url=https://www.tenable.com/blog/thinkphp-remote-code-execution-vulnerability-used-to-deploy-variety-of-malware-cve-2018-20062 | title=ThinkPHP Remote Code Execution Vulnerability Used To Deploy Variety of Malware (CVE-2018-20062) | publisher=Tenable | date=February 7, 2019 | access-date=February 7, 2019 | author=Satnam Narang | archive-url=https://web.archive.org/web/20190506104124/https://www.tenable.com/blog/thinkphp-remote-code-execution-vulnerability-used-to-deploy-variety-of-malware-cve-2018-20062 | archive-date=May 6, 2019 | url-status=live }}

Mirai was used, alongside BASHLITE,{{cite web|url=https://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/|title=Double-dip Internet-of-Things botnet attack felt across the Internet|date=21 October 2016|access-date=2017-06-14|archive-url=https://web.archive.org/web/20170519112613/https://arstechnica.com/security/2016/10/double-dip-internet-of-things-botnet-attack-felt-across-the-internet/|archive-date=2017-05-19|url-status=live}} in the DDoS attack on 20 September 2016 on the Krebs on Security site which reached 620 Gbit/s.The Economist, 8 October 2016, [https://www.economist.com/news/science-and-technology/21708220-electronic-tsunami-crashes-down-solitary-journalist-internet The internet of stings] {{Webarchive|url=https://web.archive.org/web/20170806020159/https://www.economist.com/news/science-and-technology/21708220-electronic-tsunami-crashes-down-solitary-journalist-internet |date=2017-08-06 }} Ars Technica also reported a 1 Tbit/s attack on French web host OVH.

On 21 October 2016, multiple major DDoS attacks in DNS services of DNS service provider Dyn occurred using Mirai malware installed on a large number of IoT devices, many of which were still using their default usernames and passwords.{{Cite web|url=https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html|title=The Mirai botnet explained: How IoT devices almost brought down the internet|last=Fruhlinger|first=Josh|date=2018-03-09|website=CSO Online|language=en|access-date=2019-07-24|archive-url=https://web.archive.org/web/20190724154011/https://www.csoonline.com/article/3258748/the-mirai-botnet-explained-how-teen-scammers-and-cctv-cameras-almost-brought-down-the-internet.html|archive-date=2019-07-24|url-status=live}} These attacks resulted in the inaccessibility of several high-profile websites, including GitHub, Twitter, Reddit, Netflix, Airbnb and many others.{{cite web | url=https://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained/ | title=Today the web was broken by countless hacked devices | publisher=theregister.co.uk | date=21 October 2016 | access-date=24 October 2016 | archive-url=https://web.archive.org/web/20161024090022/http://www.theregister.co.uk/2016/10/21/dyn_dns_ddos_explained | archive-date=24 October 2016 | url-status=live }} The attribution of the Dyn attack to the Mirai botnet was originally reported by Level 3 Communications.{{cite web|title=Blame the Internet of Things for Destroying the Internet Today|url=https://www.vice.com/en/article/blame-the-internet-of-things-for-destroying-the-internet-today/|website=Motherboard|date=21 October 2016 |publisher=VICE|access-date=27 October 2016|archive-url=https://web.archive.org/web/20161024221854/http://motherboard.vice.com/read/blame-the-internet-of-things-for-destroying-the-internet-today|archive-date=24 October 2016|url-status=live}}

Mirai was later revealed to have been used during the DDoS attacks against Rutgers University from 2014 to 2016, which left faculty and students on campus unable to access the outside Internet for several days at a time. Additionally, a failure of the university's Central Authentication Service caused course registration and other services to become unavailable during critical times in the academic semester. The university reportedly spent $300,000 in consultation and increased the cyber-security budget of the university by $1 million in response to these attacks. The university cited the attacks among its reasons for the increase in tuition and fees for the 2015–2016 school year.{{Cite news|url=http://www.northjersey.com/story/news/2017/12/13/union-county-man-pleads-guilty-rutgers-cyber-attacks/949591001/|title=Former Rutgers student pleads guilty in cyber attacks|work=North Jersey|access-date=2017-12-14|language=en|archive-url=https://web.archive.org/web/20171214124310/http://www.northjersey.com/story/news/2017/12/13/union-county-man-pleads-guilty-rutgers-cyber-attacks/949591001/|archive-date=2017-12-14|url-status=live}} A person under the alias "exfocus" claimed responsibility for the attacks, stating in a Reddit AMA on the /r/Rutgers subreddit that the user was a student at the school and the DDoS attacks were motivated by frustrations with the university's bus system. The same user later claimed in an interview with a New Jersey–based blogger that they had lied about being affiliated with the university and that the attacks were being funded by an anonymous client. Security researcher Brian Krebs later alleged the user was indeed a student at Rutgers University and that the latter interview was given in an attempt to distract investigators.

Staff at Deep Learning Security observed the steady growth of Mirai botnets before and after the 21 October attack.{{cite news |url=https://medium.com/@deeplearningsec/think-mirai-ddos-is-over-it-aint-96298a9ff896 |title=Think Mirai DDoS is over? It ain't!! |access-date=2016-10-26 |archive-url=https://archive.today/20161027065817/https://medium.com/@deeplearningsec/think-mirai-ddos-is-over-it-aint-96298a9ff896 |archive-date=2016-10-27 |url-status=live }}

Mirai has also been used in an attack on Liberia's Internet infrastructure in November 2016.{{cite news|title=Unprecedented cyber attack takes Liberia's entire internet down|url=https://www.telegraph.co.uk/technology/2016/11/04/unprecedented-cyber-attack-takes-liberias-entire-internet-down/|newspaper=The Telegraph|date=4 November 2016|access-date=21 November 2016|archive-url=https://web.archive.org/web/20161121031359/http://www.telegraph.co.uk/technology/2016/11/04/unprecedented-cyber-attack-takes-liberias-entire-internet-down/|archive-date=21 November 2016|url-status=live|last1=McGoogan|first1=Cara}}{{cite web|title=DDoS attack from Mirai malware 'killing business' in Liberia|url=http://www.pcworld.com/article/3138631/security/ddos-attack-from-mirai-malware-killing-business-in-liberia.html|publisher=PCWorld|access-date=21 November 2016|archive-url=https://web.archive.org/web/20161122072327/http://www.pcworld.com/article/3138631/security/ddos-attack-from-mirai-malware-killing-business-in-liberia.html|archive-date=22 November 2016|url-status=live}}{{cite web|title=Massive cyber-attack grinds Liberia's internet to a halt|url=https://www.theguardian.com/technology/2016/nov/03/cyberattack-internet-liberia-ddos-hack-botnet|work=The Guardian|date=3 November 2016|access-date=21 November 2016|archive-url=https://web.archive.org/web/20161121103649/https://www.theguardian.com/technology/2016/nov/03/cyberattack-internet-liberia-ddos-hack-botnet|archive-date=21 November 2016|url-status=live}} According to computer security expert Kevin Beaumont, the attack appears to have originated from the actor which also attacked Dyn.

Its DDoS attacks were also notable in Brazil, Taiwan, Costa Rica and India.{{cite web |last1=Schwartz |first1=Mathew J. |title=Mirai Malware Is Still Launching DDoS Attacks |url=https://www.bankinfosecurity.com/blogs/mirai-malware-still-launching-ddos-attacks-p-2303 |website=bankinfosecurity.com |language=en}}

At the end of November 2016, approximately 900,000 routers, from Deutsche Telekom and produced by Arcadyan, were crashed due to failed TR-064 exploitation attempts by a variant of Mirai, which resulted in Internet connectivity problems for the users of these devices.{{cite web | url=https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/ | title=New Mirai Worm Knocks 900K Germans Offline | publisher=krebsonsecurity.com | date=30 November 2016 | access-date=14 December 2016 | author=Krebs, Brian | archive-url=https://web.archive.org/web/20161220161008/https://krebsonsecurity.com/2016/11/new-mirai-worm-knocks-900k-germans-offline/ | archive-date=20 December 2016 | url-status=dead }}{{cite web|title=German leaders angry at cyberattack, hint at Russian involvement {{!}} Germany {{!}} DW.COM {{!}} 29.11.2016|url=http://www.dw.com/en/german-leaders-angry-at-cyberattack-hint-at-russian-involvement/a-36573668|publisher=Deutsche Welle|access-date=5 January 2017|archive-url=https://web.archive.org/web/20170105181243/http://www.dw.com/en/german-leaders-angry-at-cyberattack-hint-at-russian-involvement/a-36573668|archive-date=5 January 2017|url-status=live}} While TalkTalk later patched their routers, a new variant of Mirai was discovered in TalkTalk routers.{{Cite web|url=https://www.incapsula.com/blog/new-variant-mirai-embeds-talktalk-home-routers.html|title=New Mirai Variant Embeds in TalkTalk Home Routers|website=www.incapsula.com|access-date=2016-12-18|archive-url=https://web.archive.org/web/20161222032237/https://www.incapsula.com/blog/new-variant-mirai-embeds-talktalk-home-routers.html|archive-date=2016-12-22|url-status=dead}}

A British man suspected of being behind the attack was arrested at Luton Airport, according to the BBC.{{Cite news|url=https://www.bbc.com/news/technology-37510502|title=Router hacker suspect arrested at Luton Airport|date=2017-02-23|newspaper=BBC News|access-date=2017-02-23|language=en-GB|archive-url=https://web.archive.org/web/20170224055712/http://www.bbc.com/news/technology-37510502|archive-date=2017-02-24|url-status=live}}

On January 17, 2017, computer security journalist Brian Krebs posted an article on his blog, Krebs on Security, where he disclosed the name of the person who he believed to have written the malware. Krebs stated that the likely real-life identity of Anna-senpai (named after Anna Nishikinomiya, a character from Shimoneta), the author of Mirai, was actually an Indian-American Paras Jha, the owner of a DDoS mitigation service company ProTraf Solutions and a student of Rutgers University. In an update to the original article, Paras Jha responded to Krebs and denied having written Mirai. The FBI was reported to have questioned Jha on his involvement in the October 2016 Dyn cyberattack.{{cite web|last1=Clark|first1=Adam|last2=Mueller|first2=Mark|title=FBI questions Rutgers student about massive cyber attack|url=http://www.nj.com/news/index.ssf/2017/01/rutgers_student_questioned_cyber_attack.html|website=NJ.com|date=21 January 2017|access-date=25 January 2017|archive-url=https://archive.today/20170123081123/http://www.nj.com/news/index.ssf/2017/01/rutgers_student_questioned_cyber_attack.html|archive-date=23 January 2017|url-status=live}} On December 13, 2017, Paras Jha, Josiah White, and Dalton Norman entered a guilty plea to crimes related to the Mirai botnet.{{cite web|last1=Justice|first1=Department of|title=Justice Department Announces Charges And Guilty Pleas In Three Computer Crime Cases Involving Significant Cyber Attacks|url=https://www.justice.gov/usao-nj/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases|website=justice.gov|date=13 December 2017|access-date=13 December 2017|archive-url=https://web.archive.org/web/20171213203120/https://www.justice.gov/usao-nj/pr/justice-department-announces-charges-and-guilty-pleas-three-computer-crime-cases|archive-date=13 December 2017|url-status=live}} The trio assisted the government with other cybersecurity investigations, and were sentenced to probation and community service without imprisonment.{{Cite book |last=Shapiro |first=Scott |authorlink=Scott J. Shapiro |title=Fancy Bear Goes Phishing: The dark history of the information age, in five extraordinary hacks |date=2023 |publisher=Farrar, Straus and Giroux |isbn=978-0-374-60117-1 |edition=1st |location=New York |pages=280–281}}

Daniel Kaye, 29, also known as alias "BestBuy", "Popopret" or "Spiderman", has been accused of "using an infected network of computers known as the Mirai botnet to attack and blackmail Lloyds Banking Group and Barclays banks," according to the NCA. He has been extradited from Germany to the UK according to the same report. Kaye has also pleaded guilty in court on hijacking more than 900,000 routers from the network of Deutsche Telekom.{{cite web | url=https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/ | title=Who is the GovRAT Author and Mirai Botmaster'Bestbuy'? | publisher=Krebs on Security | date=July 5, 2017 | access-date=July 5, 2017 | author=Brian Krebs | archive-url=https://web.archive.org/web/20170705232229/https://krebsonsecurity.com/2017/07/who-is-the-govrat-author-and-mirai-botmaster-bestbuy/ | archive-date=July 5, 2017 | url-status=live }}{{cite web | url=https://www.bankinfosecurity.com/mirai-malware-mastermind-extradited-from-germany-to-uk-a-10247 | title=Mirai Malware Attacker Extradited From Germany to UK | publisher=Bank Info Security | date=August 31, 2017 | access-date=August 31, 2017 | author=Mathew J. Schwartz | archive-url=https://web.archive.org/web/20170831155843/https://www.bankinfosecurity.com/mirai-malware-mastermind-extradited-from-germany-to-uk-a-10247 | archive-date=August 31, 2017 | url-status=live }}

Researchers later pointed to the handle name "Nexus Zeta" as responsible for the author of new variants of Mirai (dubbed as Okiru, Satori, Masuta and PureMasuta),{{cite web | url=https://research.checkpoint.com/good-zero-day-skiddie/ | title=Huawei Home Routers in Botnet Recruitment | publisher=Check Point | date=December 21, 2017 | access-date=February 4, 2018 | author=Check Point Research | archive-url=https://web.archive.org/web/20180206190336/https://research.checkpoint.com/good-zero-day-skiddie/ | archive-date=February 6, 2018 | url-status=live }}{{cite web | url=https://www.bleepingcomputer.com/news/security/amateur-hacker-behind-satori-botnet/ | title=Amateur Hacker Behind Satori Botnet | publisher=Bleeping Computer | date=December 22, 2017 | access-date=February 4, 2018 | author=Catalin Cimpanu | archive-url=https://web.archive.org/web/20171227221441/https://www.bleepingcomputer.com/news/security/amateur-hacker-behind-satori-botnet/ | archive-date=December 27, 2017 | url-status=live }} and on August 21, 2018, an American grand jury indicted Kenneth Currin Schuchman, 20, aka Nexus Zeta, of knowingly causing the transmission of a program, information, code, and commands, and as result of such conduct intentionally causing damage without authorization to protected computers, according to the indictment filed in U.S. District Court in Anchorage,{{cite web | url=https://www.thedailybeast.com/newbie-hacker-fingered-for-monster-botnet | title=Newbie Hacker Fingered for Monster Botnet | publisher=The Daily Baast | date=August 30, 2018 | access-date=August 30, 2018 | author=Kevin Poulsen | archive-url=https://web.archive.org/web/20190807042925/https://www.thedailybeast.com/newbie-hacker-fingered-for-monster-botnet | archive-date=August 7, 2019 | url-status=live }}{{cite web | url=https://www.columbian.com/news/2018/sep/04/vancouver-man-charged-federal-hacking-case-alaska/ | title=Vancouver man charged in federal hacking case in Alaska | publisher=The Columbian | date=September 4, 2018 | access-date=September 4, 2018 | author=Jessica Prokop | archive-url=https://web.archive.org/web/20180905084022/https://www.columbian.com/news/2018/sep/04/vancouver-man-charged-federal-hacking-case-alaska/ | archive-date=September 5, 2018 | url-status=live }} followed by the arrest and trial of the suspect.{{cite web | url=https://www.zdnet.com/article/satori-botnet-author-in-jail-again-after-breaking-pretrial-release-conditions/ | title=Satori botnet author in jail again after breaking pretrial release conditions | publisher=ZD Net | date=October 28, 2018 | access-date=October 28, 2018 | author=Catalin Cimpanu | archive-url=https://web.archive.org/web/20190905151442/https://www.zdnet.com/article/satori-botnet-author-in-jail-again-after-breaking-pretrial-release-conditions/ | archive-date=September 5, 2019 | url-status=live }}

American electronic musician and composer James Ferraro's 2018 album Four Pieces for Mirai references Mirai in its ongoing narrative.

• Linux malware
• Denial-of-service attack
• BASHLITE – another notable IoT malware
• Linux.Darlloz – another notable IoT malware
• Remaiten – another IoT DDoS bot
• Linux.Wifatch
• Hajime
• BrickerBot

{{reflist|35em}}

• {{Cite magazine |last=Greenberg |first=Andy |date=November 14, 2023 |title=The Mirai Confessions: Three Young Hackers Who Built a Web-Killing Monster Finally Tell Their Story |url=https://www.wired.com/story/mirai-untold-story-three-young-hackers-web-killing-monster/ |magazine=Wired}}

{{IoT Malware}}

{{Hacking in the 2010s}}

Category:Denial-of-service attacks

Category:Botnets

Category:Software using the GNU General Public License

Category:Free software programmed in C

Category:Free software programmed in Go

Category:IoT malware

Category:Linux malware

Category:Cybercrime in India