{
	"id": "b022fcb0-5df5-4a90-a7b5-d220d96a6ba5",
	"created_at": "2026-04-06T00:20:11.051224Z",
	"updated_at": "2026-04-10T13:11:43.984395Z",
	"deleted_at": null,
	"sha1_hash": "b3530fed7e2fa82c73e8ee1882b05a9a42242f82",
	"title": "Mirai DDoS Botnet: Source Code \u0026 Binary Analysis",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 269387,
	"plain_text": "Mirai DDoS Botnet: Source Code \u0026 Binary Analysis\r\nBy Posted on\r\nArchived: 2026-04-05 15:14:57 UTC\r\nMirai is a DDoS botnet that has gained a lot of media attraction lately due to high impact attacks such as on\r\njournalist Brian Krebs and also for one of the biggest DDoS attacks on Internet against ISP Dyn, cutting off a\r\nmajor chunk of Internet, that took place last weekend (Friday 21 October 2016).\r\nBesides the media coverage, Mirai is very interesting because we have both binary samples captured in the wild,\r\nbut also because the source code was released recently – for sure we can expect many variants of Mirai code soon.\r\nHaving both binary and source code allows us to study it in more detail.\r\nIt is quite amazing that we are in 2016 and still talking about worms, default/weak passwords and DDoS attacks:\r\nhello Morris Worm (1988) and Project Rivolta (2000) to mention a few.\r\nSource Code Analysis\r\nWe have compiled Mirai source code using our Tintorera, a VULNEX static analysis tool that generates\r\nintelligence while building C/C++ source code. This gives us the big picture fast.\r\nFrom Tintorera we get an application detail summary counting compiled files, lines of code, comments, blanks\r\nand additional metrics; Tintorera also calculates the time needed to review the code. Mirai is a small project and\r\nnot too complicated to review. (Figure 1)\r\nFigure 1\r\nMirai is using several functions from the Linux API, mostly related to network operations. (Figure 2)\r\nhttp://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nPage 1 of 5\n\nFigure 2\r\nIn the Tintorera intelligence report we have a list of files, functions names, basic blocks, cyclomatic complexity,\r\nAPI calls and inline assembly used by Mirai. By examining this list we can get an idea of the code. (Figure 3)\r\nFigure 3\r\nIn file killer.c there is a function named killer_init that kills several services: telnet (port 23), ssh (port 22) and http\r\n(port 80) to prevent access to the compromised system by others. (Figure 4)\r\nFigure 4\r\nhttp://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nPage 2 of 5\n\nIn same file, killer.c, another function named memory_scan_match search memory for other Linux malwares.\r\n(Figure 5)\r\nFigure 5\r\nIn file scanner.c function named get_random_ip generates random IPs to attack while avoiding a white list\r\naddresses from General Electric, Hewlett-Packard, US Postal Service and US Department of Defense. (Figure 6)\r\nFigure 6\r\nMirai comes with a list of 62 default/weak passwords to perform brute force attacks on IoT devices. This list is\r\nsetup in function scanner_init of file scanner.c. (Figure 7)\r\nFigure 7\r\nhttp://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nPage 3 of 5\n\nIn main.c file we can find the main function that prevents compromised devices to reboot by killing watchdog and\r\nstarts the scanner to attack other IoT devices. In Figure 8 we see a callgraph of file main.c\r\nFigure 8\r\nMirai offers offensive capabilities to launch DDoS attacks using UDP, TCP or HTTP protocols.\r\nBinary Analysis\r\nNow let’s move to binary analysis. So far we have been able to study 19 different samples obtained in the wild for\r\nthe following architectures: x86, ARM, MIPS, SPARC, Motorola 68020 and Renesas SH (SuperH).\r\nFor the binary analysis we have used VULNEX BinSecSweeper platform that allows analyzing binaries among\r\nother things/files in depth combining SAST and Big Data.\r\nIn Figure 9 we see a chart showing all the files magic to give us an idea of the file types/ architectures. All\r\nsamples are 32 bits.\r\nFigure 9\r\nBy using BinSecSweeper we obtained a lot of information for each sample, similarities between them and\r\ndifferent vulnerabilities. Currently not many Antivirus identify all the samples, so beware what Antivirus you use!\r\nIn Figure 10 we have a visualization of file sizes in bytes.\r\nFigure 10\r\nWe analyzed all section names in the samples and Figure 11 is the result.\r\nhttp://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nPage 4 of 5\n\nFigure 11\r\nAs mentioned before the samples are for different architectures so in this post we are not showing you the code\r\nanalysis results.\r\nWe have updated BinSecSweeper analysis engine to identify Mirai malware samples. A full binary analysis report\r\nis available from VULNEX Cyber Intelligence Services to our customers, please visit our website or contact us.\r\nConclusions\r\nDespite being a fairly simple code, Mirai has some interesting offensive and defensive capabilities and for sure it\r\nhas made a name for itself. Now that the source code has been released, it is just a matter of time we start seeing\r\nvariants of Mirai.\r\nMirai Botnet is a wakeup call to IoT vendors to secure their devices. Unfortunately millions of devices have been\r\nalready deployed on Internet and there are insecure by default, so embrace yourself for more IoT attacks in the\r\nnear future.\r\nWhat do you think about IoT security?\r\n— Simon Roses Femerling / Twitter @simonroses\r\nSource: http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nhttp://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"http://www.simonroses.com/2016/10/mirai-ddos-botnet-source-code-binary-analysis/"
	],
	"report_names": [
		"mirai-ddos-botnet-source-code-binary-analysis"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434811,
	"ts_updated_at": 1775826703,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b3530fed7e2fa82c73e8ee1882b05a9a42242f82.pdf",
		"text": "https://archive.orkl.eu/b3530fed7e2fa82c73e8ee1882b05a9a42242f82.txt",
		"img": "https://archive.orkl.eu/b3530fed7e2fa82c73e8ee1882b05a9a42242f82.jpg"
	}
}