Analyzing The Mirai IoT Botnet and Its Recent Variants: Satori, Mukashi, Moobot, and Sonic

TL;DR

This paper analyzes the Mirai IoT botnet and its recent variants, detailing their attack methods, targeted vulnerabilities, infection impacts, and discussing potential defense strategies.

Contribution

It provides a comprehensive analysis of Mirai variants Satori, Mukashi, Moobot, and Sonic, highlighting their novel attack techniques and vulnerabilities exploited.

Findings

Satori infected nearly 700,000 devices within 12 hours

Mukashi exploited Zyxel NAS devices, affecting over 100 million

Variants target over 15 known vulnerabilities from 2014-2021

Abstract

Mirai is undoubtedly one of the most significant Internet of Things (IoT) botnet attacks in history. In terms of its detrimental effects, seamless spread, and low detection rate, it surpassed its predecessors. Its developers released the source code, which triggered the development of several variants that combined the old code with newer vulnerabilities found on popular IoT devices. The prominent variants, Satori, Mukashi, Moobot, and Sonic1, together target more than 15 unique known vulnerabilities discovered between 2014-2021. The vulnerabilities include but are not limited to improper input validation, command injections, insufficient credential protection, and out-of-bound writes. With these new attack strategies, Satori compromised more than a quarter million devices within the first twelve hours of its release and peaked at almost 700,000 infected devices. Similarly, Mukashi made more than a hundred million Zyxel NAS devices vulnerable through its new exploits. This article reviews the attack methodologies and impacts of these variants in detail. It summarizes the common vulnerabilities targeted by these variants and analyzes the infection mechanism through vulnerability analysis. This article also provides an overview of possible defense solutions.