Mirai, The Infamous Internet of Things Army, Can Now Mine Bitcoin

A new version of an infamous botnet has been detected – and this version is equipped to mine bitcoin.

AccessTimeIconApr 10, 2017 at 1:00 p.m. UTC
Updated Sep 11, 2021 at 1:13 p.m. UTC

Remember that Internet of Things botnet? The one known for temporarily shutting down a number of the world's largest websites last autumn?

Well, a newer version has been detected, but as well as being able to issue DDoS attacks and the like, it's equipped to mine bitcoin.

In the digital age, it's possible for hackers to infect and take control of insecure Internet of Things (IoT) devices, say, toasters, cameras or other web-connected devices. They can then bundle them together into a botnet, using their combined capacity to shoot spam at websites or internet structures, slowing them down or sending them offline.

That's what happened in a series of attacks in the fall, using the malware dubbed Mirai.

The software was open-sourced soon after – much to the dismay of security engineers – and, since then, different strains iterating on the first version of the botnet have cropped up with added abilities.

One strain, known as ELF Linux/Mirai, has now been detected mining bitcoin for a few days, according to research from IBM X-Force, the Big Blue's cybersecurity research wing. It seems some unknown hacker (or hackers) is experimenting with using the power accumulated from IoT devices to mine the digital currency and possibly make some cash.

This could be an omen for future IoT botnet use cases, argued Dave McMillen, IBM Managed Security Services senior threat researcher and author of the report.

McMillen told CoinDesk:

"This ELF/Mirai variant could be appealing to others in the future due to the potentially large volume of devices that could be involved."

The researcher noted, however, that, the botnet didn't appear to successfully mine any bitcoin. The security team see it more like a peek at a down-the-road possibility.

Mining 'blip'

So, what happened, and how did IBM spot the mining component of the botnet?

McMillen explained, saying:

"We detected a spike in command injection activity in our IBM X-Force monitored client environment data that prompted deeper investigation."

The security team saw traffic related to an ELF 64-bit binary file., which the report describes as beginning as a "blip", which grew in volume by 50%, but had fizzled out by day eight.

The team "dissected" the binary to discover that the Linux version of the malware is similar to the more typical Windows version.

"It was detected as a slave miner by multiple tools, however we are still investigating other properties of the variant," McMillen added.

While there are now many variants of the botnet, ELF Linux/Mirai has extra abilities in that it can execute 'SQL injection' (a notorious way to take control of databases) and execute so called 'brute force' attacks.

But, the Linux version has an extra add-on – the bitcoin miner component (which you can see online here).

Future threat?

IBM speculates in the report that the botnet creators may be looking for a way to make bitcoin mining with compromised IoT devices a lucrative venture.

"Realizing the power of Mirai to infect thousands of machines at a time, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven't yet determined that capability, but found it to be an interesting yet concerning possibility," a blog post explains, adding:

"One scenario could be that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode."

Although this idea is admittedly speculative, the report points to the fact that bitcoin has been used for other cybercrimes – such with ransomware, which encrypts all of a user's computer data with a demand for payment – because it's decentralized and is perceived as a more privacy-enhancing currency.

The tech can have more beneficial uses cases, though. For example, one company recently revealed aims to build a bitcoin botnet to help secure IoT devices, combining the cryptocurrency with technology also has the potential for less beneficial online activities.

Simple defense

So, how can users protect their internet-connected toasters from being enlisted as a bitcoin mining slave?

The Mirai malware exploits a surprisingly simple attack vector.

The problem is that many IoT devices come with pre-installed passwords. And, since many users never change them, all an attacker needs to do is find the default password to 'hack' into the devices.

McMillen’s advice is for users to change those passwords. Though, he said that he hopes that IoT companies are beginning to tackle the problem, too.

He concluded:

"Manufacturers could be looking for ways to manage these credentials more securely, perhaps by prompting a forced change or randomizing the default logins."

Army computer via Shutterstock


Please note that our privacy policy, terms of use, cookies, and do not sell my personal information has been updated.

CoinDesk is an award-winning media outlet that covers the cryptocurrency industry. Its journalists abide by a strict set of editorial policies. In November 2023, CoinDesk was acquired by the Bullish group, owner of Bullish, a regulated, digital assets exchange. The Bullish group is majority-owned by Block.one; both companies have interests in a variety of blockchain and digital asset businesses and significant holdings of digital assets, including bitcoin. CoinDesk operates as an independent subsidiary with an editorial committee to protect journalistic independence. CoinDesk employees, including journalists, may receive options in the Bullish group as part of their compensation.