Windows Devices Used to Increase Size of Mirai Botnet

The Mirai Botnet was used to launch devastating distributed denial of service (DDoS) attacks late last year, some of which took down large sections of the Internet including some of the most popular websites  – Twitter and Netflix for example. One Mirai attack on the hosting company OVH registered 1.1 Tbps. It has been predicted that attacks on that scale are likely to become much more common in 2017.

The Botnet is comprised of IoT devices that have been poorly protected. Mirai malware is loaded to those devices to create an army capable of conducting massive DDoS attacks. Mirai targets Linux-based IoT devices such as DVRs, surveillance cameras, IP cameras and routers, rather than computers. While the botnet is not believed to include Windows devices, they are now being used to increase the size of the botnet. As the size increases, so does the potential for even larger DDoS attacks to be performed.

However, Windows computers are not being added to the botnet nor are they being used for the DDoS attacks. Instead, Windows computers are being used to search for vulnerable devices that can subsequently be infected with Mirai malware.

In order for Windows computers to be used, access must be gained. The gang behind the Mirai Botnet is using a Windows Trojan – Trojan.Mirai.1 – for that purpose. The new Trojan was recently discovered by Doctor Web.

Once the Trojan is installed it downloads a configuration file from the attackers’ C&C server. The file contains a large list of IP addresses which the malware tries to authenticate over a wide range of ports (SSH and Telnet).

If authentication succeeds, commands are executed, a binary package is downloaded, and the located IoT device is added to the Mirai botnet. Using this method, the gang behind the Mirai botnet are able to add devices to the botnet that are not directly accessible over the Internet.

However, the Windows computers are not simply used to spread infections and increase the size of the botnet. The Trojan is also capable of causing damage to the computers it infects. Files can be deleted, the Windows registry can be changed, and SQL databases can be attacked.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of