Malware Threat in Internet of Things and Its Mitigation Analysis

Malware Threat in Internet of Things and Its Mitigation Analysis

Copyright: © 2021 |Pages: 17
DOI: 10.4018/978-1-7998-5348-0.ch020
(Individual Chapters)
No Current Special Offers


This chapter introduces malware's threat in the internet of things (IoT) and then analyzes the mitigation methods against the threat. In September 2016, Brian Krebs' web site “Krebs on Security” came under a massive distributed denial of service (DDoS) attack. It reached twice the size of the largest attack in history. This attack was caused by a new type of malware called Mirai. Mirai primarily targets IoT devices such as security cameras and wireless routers. IoT devices have some properties which make them malware attack's targets such as large volume, pervasiveness, and high vulnerability. As a result, a DDoS attack launched by infected IoT devices tends to become massive and disruptive. Thus, the threat of Mirai is an extremely important issue. Mirai has been attracting a great deal of attention since its birth. This resulted in a lot of information related to IoT malware. Most of them came from not academia but industry represented by antivirus software makers. This chapter summarizes such information.
Chapter Preview

Malware In Internet Of Things: Mirai

Threat and Attack

Mirai (means “future” in Japanese) is a malware which changes IoT devices into malicious bots and creates the network of bots called botnet. The botnets can be used to perform large-scale network attacks typified by DDoS attacks. We shall trace Mirai’s history to show its threat and attack.

  • Discovery (August 31, 2016): A malware research group MalwareMustDie reported the discovery of Mirai. See [MalwareMustDie. (2016)].

  • Early Major Attacks (September 2016): The first attack came on September 18, 2016. It targeted a French cloud hosting company OVH [Bonderud, D. (2016)]. At about the same time as the first attack, another attack fell on Brian Krebs’ website “Krebs on Security” [Krebs, B. (2016)]. It reached 620 Gbps that means twice the size of the largest attack in history. In addition, a United States Domain Name System provider Dyn was exposed to attacks on October 21, 2016 [York, K. (2016)]. Major internet services such as Amazon and Twitter were made unavailable. These massive and disruptive attacks and threats made Mirai well-known.

  • Source Code Released (September 30, 2016): The author of Mirai “Anna-senpai” posted the source code of Mirai on Hack Forums as open source [Statt, N. (2016)]. Later, it was removed by the administrator of Hack Forums. For the academic purpose, it has also been archived to Github:

  • Variant (December 2017): The released source code enabled anyone not only to implement Mirai but also to evolve Mirai into new variants. In December 2017 researchers discovered a variant of Mirai called “Satori” [360 netlab. (2017)]. Satori has higher infectivity than Mirai by using vulnerabilities in IoT devices. In the following month, a variant of Satori called “Okiru” was found. Okiru becomes able to target more architectures like ARC [Arzamendi, P., Bing, M. & Soluk, K. (2018)]. Following Satori and Okiru, more than ten variants of Mirai have been discovered. That number of variants will continue to increase.

Figure 1.

Countries possessing the infected IoT devices before and after the outbreak of Mirai (Nakao, 2018)


Mirai infected over 300,000 IoT devices in 164 countries (Devry, 2016). Figure 1 illustrates the difference in countries possessing the infected IoT devices before and after the outbreak of Mirai (Nakao, 2018). Before the outbreak, the top 5 countries were China (14.1%), Brazil (10.5%), India (8.6%), Vietnam (6.6%), and Taiwan (4.7%). After the outbreak, the top 5 countries were changed to Vietnam (15.3%), Brazil (15.3%), Taiwan (8.1%), Turkey (7.6%), and India (8.6%). This means that malware activity was moving to emerging markets and developing countries.

Complete Chapter List

Search this Book: