Mirai was a botnet that targeted Linux devices and used the for DDOS attacks. It went after low hanging fruit (mostly IOT devices), using basic vulnerabilities (default passwords, misconfigurations, etc). For a DDOS botnet, having lower quality targets be used as bots can be an advantage. These devices often don't have anti virus or EDR, meaning it is much less likely that someone will notice suspicious CPU or network usage. What made it powerful was its ability to be a worm. Once on a device it would scan the network for other devices and try to exploit them, and turn them into a bot. In 2017 the source code for the Mirai botnet was released, leading to many variants being made. 

Overview of the bot source code

For most of the important string values used by the program, the bot encrypts them into a table. This is to make static analysis and fingerprinting of the binary more difficult.

The values for the table are manually encrypted using Mirai's "enc.c" tool. 

The key can be changed each time the bot is built, meaning if one build its compromised the same key cannot be used to decrypt the values of another build's table.

One way the bot infects other devices is by using known default passwords, it uses the table to store these values.

The scanner will use these username, password combos to try to telnet into devices on the network. If successful it will let the scan reporting server know that it found another device it can login to.

The bot includes 11 attack vectors with the proxy knock-back connection vector not working.

There is also functionality for killing processes on the device.

And, because internet, a rick roll.

Overview of the C2 source code

The admin CLI lets users login to the botnet and manually designate attacks. It starts by reading a string from prompt.txt and printing it out as the header. The file just contains the string "я люблю куриные наггетсы", which translates to "I love chicken nuggets".

Each user can be configured to only be allowed to use up to a specified number of bots. This is used for selling access to the botnet.

There is a target whitelisting system to prevent the botnet from accidentally attacking its own infrastructure.

    Today the botnet is still being used, and has been modified for cryptocurrency mining, anonymous proxies, and has been updated with more exploits to infect other machines. Using MalwareBazaar we can see that, even in its unmodified form, Mirai is still being used. The initial access into devices still seems to be basic vulnerabilities and known exploits. Once on the devices a script to download the bot are run. Instead of checking what architecture the script is running on, it will download every version of the bot and try to run it.

  Links
  Mirai source code: https://github.com/jgamblin/Mirai-Source-Code
  Mirai install script sample: https://bazaar.abuse.ch/sample/45eecbde1e86f...