Why a ‘super-Mirai’ attack never happened

A large network of corporate IoT devices that was gathered to launch a massive DDoS attack. Then whomever created it the network decided against using it.
(Getty Images)

The vast amount of internet-connected devices that fueled the Mirai botnet are only the “tip of the iceberg” when it comes to the denial of service threat from the Internet of Things, according to new research to be presented at the DEF CON security conference later this week.

“We estimate up to 95 percent of all IoT devices are deployed behind corporate firewalls,” and not addressable via the public internet, Steinthor Bjarnason, a security engineer with Arbor Networks, told CyberScoop.

“They are only locally addressable,” he said, “We are talking about security cameras, light bulbs, thermostats…. Any kind of [connected] device … They are living happily behind those firewalls and life is good.”

Mirai — which uses the public web to find and infect IoT devices and weaponize their internet connectivity into massive distributed denial of service attacks — brought the internet briefly to its knees last year. Hundreds of thousands of vulnerable IoT devices, mainly webcams and routers, were recruited to stage a series of massive attacks.


But in January, researchers found something that piqued Bjarnason’s interest.

The Mirai Windows Trojan was a malicious software program that attacked Windows networks through multiple vectors. Once it had a foothold in the network it would begin scanning for locally addressable IoT devices.

“The malware pushed a specially written binary onto those devices,” Bjarnason said, recruiting them into a Mirai-type botnet.

There are 10-20 times as many IoT devices behind corporate firewalls as out on the public internet, Bjarnason said. But being on the internal network doesn’t stop them from being weaponizable.

Although the IoT devices the trojan recruits aren’t addressable via the public internet, “You usually configure firewalls to allow all outbound network traffic,” Bjarnason said. This means those devices, if infected, can send messages out onto the internet, and can become part of massive Mirai-type DDoS attacks.


If that happens to a network you are managing, Bjarnason said, “You will have a very serious problem.”

But worse still, “Most internal networks will collapse when a DDoS attack of that size traverses them,” Bjarnason explained. “Just the volume of that type of traffic will be overwhelming … switches, routers, load-balancing devices … almost every kind of network device … will fall over.”

“The number of companies in the world that could survive an internal DDoS attack like that, you could count them on the fingers of two or three hands,” he said.

If the Mirai Windows Trojan had spread even a fraction as widely as WannaCry, it would have brought corporate networks to a standstill all over the world.

“It was extremely scary,” Bjarnason said of the malware, aspects of which were reported in February by Russian security companies Dr. Web and Kaspersky.


But then something strange happened: Nothing.

“No one started to launch these kinds of attacks,” said Bjarnason. “I was very surprised.”

“Why? Why build such a powerful weapons and then not use it? Was this a test? … Was it launched on the internet accidentally? … Are they still developing? We don’t know.”

Regardless, “The [Mirai] source code is out there, the [Mirai Windows Trojan] binary is out there,” and could be repurposed by other attackers. “The only thing it take is for someone to show people how it can be done,” he said.

Bjarnason said his DEF CON presentation aims to “educate people about the threat.”


“If you are aware of the risk, you can configure your network to be more resilient,” for instance by segmenting and isolating the vulnerable devices on a VLAN or subnet, he said.

“It’s not magic, there are steps you can take.”

Latest Podcasts