Competing hackers dampen the power of Mirai botnets

The Mirai malware has been blamed for a string of massive DDoS attacks

The malware behind last month's massive distributed denial-of-service attack in the U.S. appears to be losing its potency. Ironically, hackers are to blame for diluting its power.  

The malware known as Mirai -- which is now available on the internet -- has become a bit too popular in the hacking community, according to security firm Flashpoint.

Competing hackers have all been trying to take advantage of Mirai to launch new DDoS attacks. To do so, that means infecting the poorly secured internet-connected devices, such as surveillance cameras, baby monitors, and DVRs, that the malware was designed to exploit.

The problem is the malware may have run out of new devices to infect, forcing the hackers to vie for control over a limited resource pool. That competition appears to be stiff.

On Tuesday, Flashpoint said it found that the Mirai malware is probably being used across 52 different networks of enslaved devices, often called botnets.

Many of these hackers are coming up with their own strains of Mirai to fight over the what devices they can infect, Flashpoint analyst John Costello said in an email.

However, that competition is also fracturing Mirai's full power. Newly formed botnets created through Mirai are becoming smaller in size, ever since the source code to the malware was released back in late September.

"Due to these factors, the botnet’s fracturing has significantly lowered the impact, efficacy, and damage of subsequent attacks," Flashpoint said in a blog post.

Hackers also face another challenge to fully exploit Mirai -- the malicious coding has been designed to kick out competing malware.

It does this whenever it spreads to a new device. Mirai will also attempt to lock down the device, shutting off the ports that allowed the infection in the first place, Costello said.  

That feature may be inadvertently contributing to the diminishing power of the malware. For instance, last week, one large Mirai-powered botnet was found attacking IP addresses in Liberia, disrupting business at a local mobile service provider.

But since then, the server controlling the botnet has gone offline, according to a security researcher who goes by the name MalwareTech. Without a master, the Mirai-infected devices will no longer attack, nor can they be overtaken by another malware in most cases.

Only when the devices are rebooted does the Mirai infection clear, Costello said. Competing hackers will then try to quickly reinfect the devices, sometimes within 30 seconds of the device going back online.

"This appears to be the primary means by which vulnerable devices are reinfected and the main method by which botnet ownership has fluctuated over time," he said.

It isn't clear how big these individual Mirai-powered botnets are, but internet backbone provider Level 3 Communications estimated last month that more than 500,000 devices had been infected with the malware.

Security researcher Kevin Beaumont agreed that Mirai-powered botnets appear to be fracturing under the competition. Nevertheless, there are still three or four large Mirai botnets capable of taking down websites, he said. He pointed to online gambling service William Hill, which was likely hit with a DDoS attack and kicked offline by a Mirai botnet last week.

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Michael Kan

IDG News Service
Show Comments



Sansai 6-Outlet Power Board + 4-Port USB Charging Station

Learn more >



Back To Business Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Walid Mikhael

Brother QL-820NWB Professional Label Printer

It’s easy to set up, it’s compact and quiet when printing and to top if off, the print quality is excellent. This is hands down the best printer I’ve used for printing labels.

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?