An Evaluation of IoT DDoS Cryptojacking Malware

and Mirai Botnet

Adam Borys Abu Kamruzzaman Hasnain Nizam Thakur Joseph C. Brickley
Department of IS and Statistics Department of IS and Statistics Mathematics and Natural Science Department of Civil Security
Baruch College/CUNY Baruch College/CUNY Brac University New Jersey City University
NY 10010, USA NY 10010, USA Dhaka, Bangladesh NJ 07305, USA
adamborys@baruchmail.cuny.ed abu.kamruzzaman@baruch.cuny. hasnain.nizam.thakur@g.bracu.ac jbrickley@njcu.edu
u edu .bd

Md L. Ali Kutub Thakur

Computer Science and Physics Professional Security Studies
Rider University New Jersey City University
NJ 08648, USA NJ 07305, USA
mdali@rider.edu kthakur@njcu.edu
2022 IEEE World AI IoT Congress (AIIoT) | 978-1-6654-8453-4/22/$31.00 ©2022 IEEE | DOI: 10.1109/AIIOT54504.2022.9817163

Abstract—This paper dives into the growing world of IoT
botnets that have taken the world by storm in the past five years.
Though alone an IP camera cannot produce enough traffic to be
considered a DDoS. But a botnet that has over 150,000 connected
IP cameras can generate as much as 1 Tbps in traffic. Botnets
catch many by surprise because their attacks and infections may
not be as apparent as a DDoS, some other cases include using these
cameras and printers for extracting information or quietly mine
cryptocurrency at the IoT device owner’s expense. Here we
analyze damages on IoT hacking and define botnet architecture.
An overview of Mirai botnet and cryptojacking provided to better
understand the IoT botnets.
Keywords— DDoS, Internet-of-things, IoT, Security, Botnet,
Cryptojacking, Mirai
I. INTRODUCTION
Internet of things or “IoT” has been a popular term that has
been mentioned often to categorize physical devices and things
that collect and facilitate the exchange of data. These devices
and networks are widely used on a consumer and industrial level
from agriculture to home appliances. IoT examples include
smart light bulbs and outlets that can have user functions sent to
the device. On a larger scale a commercial operation of cameras
and motion sensors as part of a building's general security. Aside
from the designed task of these devices, like cameras being used
to record and write footage, many run some form of Linux and
are connected to servers and home networks. The web of
connections created by these devices such as cameras and other
consumer electronics can span into a global network of hundreds
of thousands of devices that if left un-configured can fall victim
to exploits conducted by the hacker. This paper explores some
of the features and functions of Mirai and how the DDoS
environment has made IoT the new normal in hosts that are
viable for creating floods. Since 2016 Mirai has been studied
greatly and has also consequently caused new variants to release
such as Anime and Qbot. Many of the attack and variants being
created have included cryptomining malware citing the growing
popularity of mining functions in new malwares.
II. IOT HACKING
IoT hacking can take numerous forms depending on the
physical device capabilities and hardware. Targeted attacks can
be categorized as shown in Table 1.
TABLE I. TYPES OF IOT HACKING
IoT Hacking Types
Type Effects
a scenario of this attack can be disabling
medical devices like pacemakers or controlling
Physical Harm
car intelligent driving controls to steer the end
user out of control.
using IoT devices to escalate privilege and gain
sensitive data, with cameras one can actively
Data Theft
view the feed being recorded or use printers to
view documents in queue.
this can range from binary controls like turning
a device on or off to the extent of infecting a
Device Control device to be a part of a botnet that can carry out
DDOS attacks and use device hardware to mine
cryptocurrency.
the option to cause damage to a system with the
intent of breaking the device often through
Shutdown overclock and overheating.

978-1-6654-8453-4/22/$31.00 ©2022 IEEE

725
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on January 19,2024 at 14:18:33 UTC from IEEE Xplore. Restrictions apply.

Fig. 1. Mirai botnet architecture
IoT hacks and exploits vary in severity from organized
botnets that can carry out various attacks to fatal plans to
disable life support systems. To carry any of these attacks one
must gain control of the device or create a botnet of the
identified IoT devices. Most notably these attacks have taken
many targets by surprise by the size of the flood from such weak
hosts, IoT devices. In 2016 a spree of massive DDoS attacks
targeted Krebs on Security, a security news and investigative
journalism, documenting an initial attack of 620 Gbps such
traffic recorded as some of the largest attacks documented by
the site [1]. This attack was launched by thousands of weak
hosts unlike previous DDoS attacks carried out by hacked
computers, the nature of the botnet size was unseen before and
arguably was the start of fame for the Mirai malware.
IoT device have a range of use cases from small home
lighting capabilities to larger scaled security and monitoring
projects, the range of severity is what makes botnet malwares so
destructive as the core vulnerability is selecting a pair of
“logins” and “passwords” which if not configured from default
leave a door open to all hackers. IoT vulnerabilities go outside
of the scope of DDoS and were often used for their company
specific exploits before the rise of Mirai. The discovery and buzz
around IoT vulnerabilities and exploits began to pick up traction
beginning in 2010 and would see the frequency of IoT Journal
articles almost triple by 2013 [2]. Such older vulnerabilities that
brought attention to some security flaws in IoT networks with
the CVE-2014-8361 vulnerability in Realtek devices which
would fail to “sanitize” user inputs and allow arbitrary code to
be executed in New Client Requests via remote connections
thus, leading the attacker to access root level privileges. This
was the nature of some of the early attacks and exploits used;
however, these plugin exploits became outdated in 2016 with the
rise of Botnet malwares capable of sending 1.1 Tbps of traffic
from ~150k ip cameras taking out French cloud service provider
OVH [3]. Mirai is one of the largest known IoT malwares and
has been the root of many variants and becoming “a new normal
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on January 19,2024 at 14:18:33 UTC from IEEE Xplore. Restrictions apply.
of DDoS attacks” [1] To understand the nature of these attacks
and draw comparison between the different variants created in
botnet malware the process starts by taking advantage of flaws
in IoT device security and actively propagating to weakly
configured devices.
III. MIRAI BOTNET ARCHITECTURE
Mirai and its origins date to August of 2016 where it first
surfaced and followed by a spree of DDoS attack on Krebs,
OVH, Dyn, and Liberian Lonestar. Many variants rooted from
this and made IoT devices the standard for DDoS hosts.
However, there were predecessors to Mirai such as BASHLITE
and Carna, Mirai made a name for itself with these high-profile
attacks and its upgraded features. There are four main
components to Mirai botnet that allow for monitoring and
executing attacks from the botnet. The architecture of the
network can be modified depending on the machines involved
but the Mirai botnet model based on a client-server model. In
Kumar and Bhama’s paper on detecting and confronting IoT
DDoS attacks, they successfully set up a controlled Mirai botnet
using a virtual private server rented by AWS Lightsail [4].
A. Mirai Botnet Setup
1) Bot: The bot is the malware itself, Mirai, which will
contain some of the malware’s contents like the dictionary of
default user-password inputs and brute force abilities. The bots
main function is to infect and report to the C&C server to see if
the loader will be required to load Mirai on the new device.
2) Command and Control Server(C&C): Provides the
hacker or botmaster with an interface that will report on the
botnets state and where one can set up floods or execute crypto
currency mining, known as cryptojacking.
3) Report Server: The report server is used between Mirai
and the loader to log the already infected devices and report to
the C&C server of the botnets status and statistics.
4) Loader: The loader is responsible for loading the Mirai
malware or variant into the IoT device picked up by the scanner.
The Report and C&C server work together to initiate the loader
if the device is newly detected to be made a part of the botnet.
Some of the two common routs hackers take when starting is
deciding how to utilize the botnet for flooding or for crypto
jacking both can be done with Mirai’s default features.
B. Maintaining the Integrity of the Specifications
The When all components are configured to begin creating a
botnet the botmaster can decide on what and w hop to scan but
by default the malware will begin port scanning of telnet port
23, SSH port 22 and HTTP port 80 [4]. Mirai does have hard-
coded IP blacklist including the US Postal Service, the
Department of Defense, the Internet Assigned Numbers
Authority, General Electric, and Hewlett- Packard are excluded,
to avoid government detection. When Mirai identifies a potential
victim IoT device it will start a brute force login attempt using
its included list of 62 pre-configured default credentials or user
set dictionary list. In Table 2 includes the topmost common
username and password credentials that were used to gain access
to the first IoT device. Many are not only weak password but
also are left configured with default passwords [5]. Upon
successful login, Mirai will log the credentials in the report
726
 server and leave the rest up to the botmaster who can move from • When the device is successfully logged into by Mirai
there to further expand his network or explore some of the it will send the IP and credentials to the report server.
devices data. Fig. 1 shows what an already established botnet From here the report server stores the information of
architecture will look like, the process from after the first what worked, the report server will also check to
infected bot changes and is what makes Mirai so infamous as it initiate the loader if the discovered device is new.
has great self-propagating features to build the botnet larger. • If the IP address is new to the botnet, it will initiate the
loader which will load the malware onto the new
victim device. Once shell access has been created
TABLE II. TYPES OF IOT HACKING
using the reporters stored credentials Mirai will send
Top 10 Used Login Credential IoT Attacks the IP address to the loader and store any other device
Login Login information in the report server this includes hardware
root root
architecture and other information to make the
admin admin malware efficient [1].
test test • When the loader has finished loading the Mirai
access access malware the information is shown in the C&C server
DUP root DUP root as a new bot. The loader continues to scan the listed IP
address to ensure reinfection if it gets rebooted. The
DUP admin DUP admin
leader instructs the device to download and execute a
ubnt ubnt corresponding binary version of the Mirai malware via
oracle oracle GNU Wget or Trivial File Transfer Protocol (TFTP).
postgres postgres Once loaded the device will start by killing processes
pi pi run on Telnet and SSH, this means closing ports 22
and 23. Additionally, Mirai will kill processes that are
associated with competing malwares and Mirai
variants like .anime and Qbot[1].
• The botmaster or attack will begin to see his bot farms
status populate as Mirai spreads, this can then allow
control of the botnet from the C&C server. From here
one can control what to do with the botnet. Various
flood capabilities are included in Mirai such as
UDPPlain, HTTP, UDP, VSE, DNS, SYN, ACK,
STOMP and GRE-IP are executable from the attack
file [5].
• The bots will receive instruction and start attacking the
targeted server. This can also take a different rout that
being, launching discreet crypto mining code to use
the device hardware to mine cryptocurrency [7].
Figure 2 includes Mirai’s default DDoS list that comes
with the malware which the attacker can chose to
execute attacks [9].
2) Mirai DDoS Botnets Popularity: In Antonakis’ [8] study
on understanding the Mirai botnet, the researchers find that
Mirai is a vairant of BASHLITE which was a DDoS malware
that preceded Mirais established standard after its first large
scale attacks. BASHLITE began to drop when Mirai released
due to the 62 username/password pairs that came with the new
malware as opposed to the 14 generic passwords stored in
BASHLITE. Additionally, Mirai included credentials specific
Fig. 2. Mirai’s default DDoS attack list to consumer routers and IoT devices and contained a much
faster and efficient scanner to seek more vulnerable devices to
1) Mirai Botnet Operation Process: Mirai Botnet operation add onto the botnet. Years later after these attacks and Mirai is
process consists of the followings: continued to be researched and referenced to as a root malware
• When the bot detects a new victim, it will to many of the newer variants being developed. Though in
asynchronously infect and continuous scanning for recent studies that reference Antonakis found that less than 25%
more devices to test within the network. of bots included a Mirai signature when examining recent
Internet scanning data provided by Censys and Shodan[8].

727
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on January 19,2024 at 14:18:33 UTC from IEEE Xplore. Restrictions apply.
 However, Mirai’s nature is to close ports to prevent discovery
by competing malwares and in this case preventing discovery
by search engines
IV. CRYPTOJACKING
Cryptojacking is the criminal side of cryptocurrency mining
where attackers infect a user device to often mine Monero coin
(XMR) but cans be configured to mine what the attacker desires.
The start of cryptojacking came when Coin hive launched a web
service to mine XMR in browser while the user is on the site,
this would be a replacement revenue over adware that is
becoming harder to profit on with the popularity of adblockers.
The Coin hive script would run in the background and would
end at the end of a browser session. This was able to be exploited
when criminals were able to include the script into a variety of
websites. Cybersecurity firm AdGuard reported at least 220 of
the top 100,000 sites launched miners when users opened the
main page.
However, this number is miniscule to the magnitude of the
entire internet but is enough to have reached an estimated 500
million people. AdGuards estimate put the revenue or profit, in
this case as Coin hives script comes at no cost to the attacker, at
around $43,000 in three weeks. Crypotjacking has lots of
potential with different types of miners being created to support
new coin ecosystems that may rely on different hardware such
as relying on storage space and hard drives in the case of Chia
coin. The attacks have taken to hackers liking fast where
McAfee reported a 629% increase in coin mining malware in the
first quarter of 2018. All this not too long after the release of
Coin hive’s script. The sample size grew from 400,000 in Q4
2017 to 2.9 million in Q1 2018 [7].
The profit that can be reached largely depends on two things
that are the size of the botnet or its hash rate and the amount of
time the miner is undetected. In cases of home computers being
infected to see fast profits as it can be hard to find a target
machine with a performance-oriented CPU or GPU. Attackers
resort to searching for viable IoT devices that have mining
capabilities. IoT botnets running crypto malware can go
undetected as the attacker can optimize the power being used
and can chose to mine steadily at a rate of low detection or the
opposite
V. IOT BOTNET DETECTION AND MITIGATION
Botnets continue to grow in popularity and size as more
devices are turned on and put into use on the internet. To prevent
and actively work on securing IoT devices users should consider
applying the same level of importance they do for network
security as they would for their server or home network. As
previously mentioned, the infection does not need to be apparent
or malicious as crypotjacking can be done “harmlessly” and is
meant to be undetected. To better secure IoT devices and detect
botnets there is a limited number of resources but it all really
starts with basic configurations of the IoT device to change it
from all default settings. Detecting the IoT botnet can be broken
down into four methods and an experimental approach that is
discussed in Duwairi et al. [10] on SIEM based detection and
mitigation IoT botnets.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on January 19,2024 at 14:18:33 UTC from IEEE Xplore. Restrictions apply.
A. Anomaly-Based
As the name suggests this approach is based on recognizing
and instance of malicious behavior on the network. This is done
by first having a saved store of normal network behavior this has
led to the development of experimental catchers like
AutoBotCatcher which utilizes blockchain to detect
decentralized peer-to-peer (P2P) Botnets[9, 11]. This catcher
uses the concept to look for communities in botnets and correlate
it with a block explorer. In the case of cyrptojacking this can be
implemented by finding the target wallet address and notice
patterns in which devices and botnets are sending mining
rewards to said address. This can be further followed with a
public black explorer for said crypto such as XMR. Block
explorer can track the block and address to create a match to the
owner of the botnet and wallet.
B. Signature-Based
Detecting Botnet signatures that are stored on the system
database can help trace the attacker. However, many of these
malwares close ports to detection, a proposed solution using
Intrusion Detection System to monitor the network for malicious
activity or breaking policy. Like the previous method the IDS
detector works by logging network traffic and comparing it with
known attacks be it previous on the network or known ones that
other networks have experienced that would be supplied by the
vendor [12].
C. Specification-Based
Shares some similarities with the Anomaly based approach
but instead of focusing on the attack logs it draws focus on the
malware’s communications and binary. Each malware weather
it’s a variant or new malware will have a custom format and each
C&C server will similarly have its own protocols but using this
sampling one can gain info on the structure and intent of the
malware.
D. Hybrid-Based
This approach takes anomaly and signature-based
approaches or anomaly and specification to gain better
detection and lower false positive rates. SIEM based solutions
are being studied more and are like the Hybrid approach where
the enterprise can look and create logs of known attacks to
detect an expected attack rather than react to an ongoing attack.
The results of these events indicate if a security incident has
occurred by the SIEM software included parsing, indexing, and
storing of data in search of abnormalities and misuse [13-14].
VI. CONCLUSION
Botnets increase in popularity as many malwares make it
easy for the attacker to look for targets and automatically secure
and continue infecting more to be a part of the growing botnet.
As a botmaster one has a growing number of capabilities with
the bots they infect depending on the size and power that can be
created, one can use these botnets to mine cryptocurrency for
great profits if undetected or cause DDoS floods of all kinds.
Behind the source code and attackers, the real issue and what
allowed the rise of Mirai and its successors is the absence of best
practices surrounding IoT devices. Though the threat and IoT
population grows, Mirai and IoT malwares should be seen as
legitimate threats that need solutions from stakeholders and
728
 academics that are concerned by the infinitely growing IoT
environment.
REFERENCES
[1] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein, J.
Cochran, Z. Durumeric. "Understanding the mirai botnet." In 26th
USENIX security symposium (USENIX Security 17), pp. 1093-1110.
2017
[2] D. Xu, L. W. He, and S. Li. "Internet of things in industries: A survey."
IEEE Transactions on industrial informatics 10.4 (2014): 2233-2243.
[3] K. Constantinos, G. Kambourakis, A. Stavrou, and J. Voas. "DDoS in the
IoT: Mirai and other botnets." Computer 50, no. 7 (2017): 80-84.
[4] C.U. Om Kumar and S. Bhama, 2019. Detecting and confronting flash
attacks from IoT botnets. The Journal of Supercomputing, 75(12),
pp.8312-8338.
[5] A. Shiler and E. Stepanova. "Complex security problems of the internet
of things." MATEC Web of Conferences. Vol. 265. EDP Sciences, 2019.
[6] H. Tuttle "Cryptojacking." Risk Management 65.7 (2018): 22-27.
[7] E. Bertino and N. Islam. "Botnets and internet of things security."
Computer 50.2 (2017): 76-79.
[8] M. Pour, A. Mangino, K. Friday, M. Rathbun, E. Bou-Harb, F. Iqbal, S.
Samtani, J. Crichigno, and N. Ghani. "On data-driven curation, learning,
and analysis for inferring evolving internet-of-Things (IoT) botnets in the
wild." Computers & Security 91 (2020): 101707.
Authorized licensed use limited to: NATIONAL INSTITUTE OF TECHNOLOGY SURATHKAL. Downloaded on January 19,2024 at 14:18:33 UTC from IEEE Xplore. Restrictions apply.
[9] G. Sagirlar, B. Carminati, and E. Ferrari. "AutoBotCatcher: blockchain-
based P2P botnet detection for the internet of things." 2018 IEEE 4th
International Conference on Collaboration and Internet Computing (CIC).
IEEE, 2018.
[10] B. Al-Duwairi, W. Al-Kahla, M. A. AlRefai, Y. Abdelqader, A. Rawash,
A., and R. Fahmawi, (2020). SIEM-based detection and mitigation of
IoT-botnet DDoS attacks. International Journal of Electrical & Computer
Engineering (2088-8708), 10(2).
[11] K. Thakur, M. L. Ali, N. Jiang, and M. Qiu, 2016, April. Impact of cyber-
attacks on critical infrastructure. In 2016 IEEE 2nd International
Conference on Big Data Security on Cloud (BigDataSecurity), IEEE
International Conference on High Performance and Smart Computing
(HPSC), and IEEE International Conference on Intelligent Data and
Security (IDS) (pp. 183-186). IEEE.
[12] S. Schmeelk, K. Thakur, M. L. Ali, D. M. Dragos, A. Al-Hayajneh, and
B.R. Pramana, 2021, December. Top Reported Data Security Risks in the
Age of COVID-19. In 2021 IEEE 12th Annual Ubiquitous Computing,
Electronics & Mobile Communication Conference (UEMCON) (pp.
0204-0208). IEEE.
[13] V. Gorbach, M. L. Ali, and K. Thakur, 2020, September. A Review of
Data Privacy Techniques for Wireless Body Area Networks in
Telemedicine. In 2020 IEEE International IOT, Electronics and
Mechatronics Conference (IEMTRONICS) (pp. 1-6). IEEE.
[14] L. Li, K. Thakur, and M. L. Ali, 2020, September. Potential Development
on Cyberattack and Prospect Analysis for Cybersecurity. In 2020 IEEE
International IOT, Electronics and Mechatronics Conference
(IEMTRONICS) (pp. 1-6). IEEE.
729