The updated Mirai botnet is back, becoming even more powerful.

In general, Mirai especially did not disappear anywhere, because there are several options on the network. However, network security experts have found an interesting version of the Mirai, with extensive capabilities. He was found after analyzing a powerful DDoS attack lasting 54 hours. Apparently, now the botnet has become more powerful than ever.

Since the discovery of the first version of Mirai, the attention of cybersecurity experts and cybercriminals has been focused on this system. Its feature is hacking of “smart” devices, including cameras, thermostats, etc., and then using these devices as bots for DDoS attacks. The first version of Mirai included about 400-500 thousand connected devices. Soon after it became known about the botnet, third-party hackers were able to seize control of it, apparently, these are two people.

It was previously reported that a vulnerability was discovered in the original version of Mirai. It was found after the source code Mirai hit the web. And for control over the botnet, a struggle unfolded among all sorts of burglars. As a result, the hacker with the nickname BestBuy and his partner Popopret have become botnet operators (by the way, there is an assumption that this is one and the same person, and not two hackers). The victims of the DDoS attacks carried out by these figures were information security specialist Brian Krebs, French hosting provider OVN, Dyn, and a number of other individuals and organizations.
')
This year, about a month ago, BestBuy was arrested at the UK airport. This operation was made possible by the combined efforts of law enforcement agencies in Germany, Cyprus, Great Britain, Europol and Eurojust. After the arrest, BestBuy stopped all online communication and the intended partner Popopret. And the time of the last release of one and second cybercriminals is about the same. Yes, and one of the accounts of BestBuy was hacked, after which it turned out that he was communicating on his own behalf and on behalf of Propopret.

Anyway, the botnet did not die at all, as the militiamen hoped. In February 2017 (just after the arrest of the alleged botnet operator) in the United States, an attack was made on one of the educational institutions. As mentioned above, the duration of the attack was more than 54 hours. This was significantly different from the usual Mirai operating hours; previously, the duration of attacks was about 24 hours and no more.

It is worth noting that now Mirai consists of new devices that have been cracked relatively recently. All elements of the botnet carried out an attack on the target using HTTP flood. About 10,000 “Internet of things” devices participated in this attack, including cameras, routers and other devices. Their manufacturers have not yet fixed software vulnerabilities that were discovered during the work of the first version of Mirai, so it is not surprising that the work of Mirai was again possible.

Attack power was pretty big. Per second, the botnet target received about 30,000 HTTP requests. Such power was maintained during all 54 hours of attack. Probably, in the future, the power will only grow, as the operators (whoever they may be) of the new Mirai are improving and refining the software basis of the botnet.

Its latest version includes 30-user agent alternatives, a step forward compared to 5 for the original botnet. A greater number of user agents allows Mirai to successfully counteract most of the security measures taken by information security specialists. The spread over IP is quite large. Approximately 18% of botnet elements are located in the United States, 11% in Israel and 11% in Taiwan.

Now it remains only to follow the further development of events and to guess what power the next attack will be. There is almost no doubt that it will be.