{
	"id": "0f8bf4ab-27fc-4018-bf33-877f0ff24b00",
	"created_at": "2026-04-06T00:15:08.019625Z",
	"updated_at": "2026-04-10T03:22:12.831435Z",
	"deleted_at": null,
	"sha1_hash": "5f6c617829f5baaa56f88c5b68fb0a4e686da37c",
	"title": "Source Code for IoT Botnet ‘Mirai’ Released",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 129889,
	"plain_text": "Source Code for IoT Botnet ‘Mirai’ Released\r\nPublished: 2016-10-03 · Archived: 2026-04-05 19:35:16 UTC\r\nThe source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically\r\nlarge distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released,\r\nvirtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by\r\ninsecure routers, IP cameras, digital video recorders and other easily hackable devices.\r\nThe leak of the source code was announced Friday on the English-language hacking community Hackforums.\r\nThe malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT\r\nsystems protected by factory default or hard-coded usernames and passwords.\r\nThe Hackforums post that includes links to the Mirai source code.\r\nVulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a\r\ncentral control server that can be used as a staging ground for launching powerful DDoS attacks designed to\r\nknock Web sites offline.\r\nThe Hackforums user who released the code, using the nickname “Anna-senpai,” told forum members the source\r\ncode was being released in response to increased scrutiny from the security industry.\r\n“When I first go in DDoS industry, I wasn’t planning on staying in it long,” Anna-senpai wrote. “I made my\r\nmoney, there’s lots of eyes looking at IOT now, so it’s time to GTFO [link added]. So today, I have an amazing\r\nrelease for you. With Mirai, I usually pull max 380k bots from telnet alone. However, after the Kreb [sic] DDoS,\r\nISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300k bots, and dropping.”\r\nSources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to\r\nquickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed\r\n“Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on\r\nIoT devices.\r\nhttps://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/\r\nPage 1 of 2\n\nAccording to research from security firm Level3 Communications, the Bashlight botnet currently is responsible\r\nfor enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.\r\n“Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew,\r\nLevel3’s chief security officer.\r\nInfected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory.\r\nBut experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices\r\ncan be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly\r\nbeing reinfected on reboot.\r\nIn the days since the record 620 Gbps DDoS on KrebsOnSecurity.com, this author has been able to confirm that\r\nthe attack was launched by a Mirai botnet. As I wrote last month, preliminary analysis of the attack traffic\r\nsuggested that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it\r\nwas generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. GRE lets two peers share data they wouldn’t be able to share over the\r\npublic network itself.\r\nOne security expert who asked to remain anonymous said he examined the Mirai source code following its\r\npublication online and confirmed that it includes a section responsible for coordinating GRE attacks.\r\nIt’s an open question why anna-senpai released the source code for Mirai, but it’s unlikely to have\r\nbeen an altruistic gesture: Miscreants who develop malicious software often dump their source code publicly\r\nwhen law enforcement investigators and security firms start sniffing around a little too close to home. Publishing\r\nthe code online for all to see and download ensures that the code’s original authors aren’t the only ones found\r\npossessing it if and when the authorities come knocking with search warrants.\r\nMy guess is that (if it’s not already happening) there will soon be many Internet users complaining to their ISPs\r\nabout slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the\r\nbright side, if that happens it may help to lessen the number of vulnerable systems.\r\nOn the not-so-cheerful side, there are plenty of new, default-insecure IoT devices being plugged into the Internet\r\neach day. Gartner Inc. forecasts that 6.4 billion connected things will be in use worldwide in 2016, up 30 percent\r\nfrom 2015, and will reach 20.8 billion by 2020. In 2016, 5.5 million new things will get connected each day,\r\nGartner estimates.\r\nFor more on what we can and must do about the dawning IoT nightmare, see the second half of this week’s story,\r\nThe Democratization of Censorship. In the meantime, this post from Sucuri Inc. points to some of the hardware\r\nmakers whose default-insecure products are powering this IoT mess.\r\nSource: https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/\r\nhttps://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/"
	],
	"report_names": [
		"source-code-for-iot-botnet-mirai-released"
	],
	"threat_actors": [],
	"ts_created_at": 1775434508,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5f6c617829f5baaa56f88c5b68fb0a4e686da37c.pdf",
		"text": "https://archive.orkl.eu/5f6c617829f5baaa56f88c5b68fb0a4e686da37c.txt",
		"img": "https://archive.orkl.eu/5f6c617829f5baaa56f88c5b68fb0a4e686da37c.jpg"
	}
}