Mirai – The Botnet of Things

Mirai – The Botnet of Things

The dynamic of the Internet of Things shows us the daily progress of digitalization. More and more devices are connected to the Internet, providing users comfort and efficiency. The market is constantly filled with new devices and the variety of functions attracts many users. Today, there is already a huge network of data, servers and connected intelligent devices – which, however, represents a new and above all enormous target for cyber criminals due to the unconsidered security vulnerabilities of smart devices.

The malware Mirai took advantage of this weakness: In October 2016, the botnet virus became widely known for the first time due to the largest DDoS attack ever launched, targeting the DNS provider “Dyn”. As a result, the websites and services of many international companies, including Amazon, Netflix and Spotify, were unavailable for a long time. For businesses, this can mean a loss of millions. What exactly is the story behind the malware that exploits the weaknesses of technological progress?

The origin of the Mega Botnet

2016 wasn’t the first time such an IoT botnet “hit” the market: according to independent security journalist Brian Krebs from krebsonsecurity.com, there have been Mirai-like predecessors since 2014, known as Bashlite, Gafgytm, QBot, Remaiten and Torlus. The Botcode of Mirai was created from the improved codes of its forerunners, compiled by several developers. It was finalized by a group of hackers who joined forces in 2014 and started DDoS attacks on competing Minecraft servers under the pseudonym “lelddos”, using the Mirai Botnet to slow them down or take them off the Internet, which cost their operators a lot of money.

Mirai has been designed to eliminate malware from already infected IoT devices and eventually takes it over itself. Affected devices, again, looked for other vulnerable devices to take over. Due to the growing number of IoT products controlled by Mirai, the botnet became more extensive and hackers attempted larger targets. In September 2016, the French hosting company OVH suffered a DDoS attack with a total capacity of up to 1.5 terabits per second.

Shortly after that attack, one of the co-developers Mirais, published the source code of the malware online under the name “Anna-Senpai”. Thus, the author enabled many hackers to copy and further develop the code. The release led to a rapid increase in imitators operating their own Mirai botnets. This eventually ended in an attack on Dyn’s server just a month later. Due to the amount of new variations of Mirai, tracing those responsible became much more difficult. But only a few weeks after that, the FBI tracked down three young Americans.

On the 5th of December 2017, the hackers pleaded guilty in court in Alaska for developing the malware and merging it into a botnet to harm companies and “other targets”. According to the court documents, the cybercriminal group also planned to earn money with its own DDoS-as-a-Service offer and racketeering. To avoid a prison sentence, the 21- and 22-year-olds agreed to assist the FBI in solving complex cybercrime investigations. Nevertheless, the sentence included a five-year suspended sentence, 2,500 hours of community service, and $127,000 in refunds. Even though, the criminal malware developers are now kept in check, the malware code still exists and can be reused, converted and improved by other hackers.

The Return of Mirai

In March 2019, security experts discovered a new type of Mirai, which is aimed primarily at IoT devices within companies. Cybercriminals expect this to increase their attack power even more as they gain access to greater bandwidth over corporate networks. The new Mirai version contains several more features, including 11 additional exploits, bringing the total number of exploits of the malware to 27. These additional features give the program an even larger attack surface. The malware spreads primarily through presentation systems, smart TVs, routers and IP cameras.
Companies are advised to change the credentials of the implemented IoT devices and to consider the security of these devices in their IT security strategy as well.

This development shows the uncertainty IoT devices face in the digitized world – the security factor is essential for businesses and users. A study by the Berkeley School of Information and the Center for Long-Term Cybersecurity (CLTC) identified the total cost for consumers caused by a hack of a smart device and additional power consumption when that device is involved in a cyberattack: For example, the combined costs of the attack on Dyn in October 2016 amounted to around 115,000 dollars for IoT users. In a worst-case scenario, the calculator results in a sum of about 68 million dollars, about 100 dollars per user, for a DDoS attack involving 600,000 IoT devices.

The rise of DDoS Attacks

The additional attack surface, which results from the very weakly protected Internet of Things, is also reflected in the increasing number of DDoS attacks on companies.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.

Whereas three years ago, there were still around 9,000 attacks per quarter on corporate infrastructure and servers in the German-speaking area, attacks increased year by year.
In the 1st quarter of 2019, there were already 11,177 DDoS attacks registered in Germany, Austria and Switzerland alone. But not only the number of attacks is on the upswing, the volume is also growing significantly. According to the Link11 DDoS Report Q1 2019, the largest DDoS attack in German-speaking countries reached a volume of 224 gigabits per second. With an increase of 70 percent compared to the same period last year, the average of the middle range of this quarter was already 3.8 Gbps. The Internet of Things is contributing significantly to the increased performance of attacks – a fact that takes cyber security to a new level once again.

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence

Experts interview: Dr. Yvonne Bernard about Artificial Intelligence


Currently the topic of artificial intelligence dominates every discussion about digitization. As a former researcher on open systems and trust- and security mechanisms, this development has prompted our Head of Product Management Dr. Yvonne Bernard to take a closer look. In her recently published article „AI – the same procedures as last century?“ she provides a view behind the current hype. In the following interview with Yvonne, we will explore the background of this innovative technology, take a look at the implementation of artificial intelligence in an entrepreneurial context, and in conclusion discuss its potential in IT security.


So, what made you decide to take a further look at AI?

Especially in recent years, I have seen an enormous increase in AI technologies applied and – perhaps more importantly – advertised by technology companies and vendors around the world.
Since I have been dealing with this topic in research and teaching for several years, I was really curious: Have the mechanisms that I used and taught at Leibniz Universität Hannover developed further? Basic research takes up to 20 years, as they say, to be separated (if at all) from basic research in business-relevant technology, but to be honest, some of the features we used back then, such as artificial neural networks, were already older than me.


If you say this technology has been around for decades, why is it actually being applied just now?

Nowadays, what makes the implementation of AI technologies really worthwhile is the possibility to store and process large amounts of data and to adapt the processing schemes if necessary. Big data doesn’t mean storing everything and then looking at what you do with it: you have to think about data types in order to calculate efficiently and effectively on the basis of these data volumes. Also, the promotion of these technologies, which have been in use for years, has of course made its contribution to the hype. Furthermore, the growing number and quality of libraries that are available to the public and not only to researchers is a further aspect. You don’t have to spend much time looking for suitable software or frameworks to realize your AI ideas in functional code. Frameworks such as TensorFlow, Caffe and CNTK can be mentioned here. Thus, AI is increasingly used for the fast and (nearly) optimum solution of real problems.

Hornetsecurity News

Stay in touch

Sign up to get the latest News about Cloud Security.


What has made the use of AI possible in companies and what is the necessity?

As already mentioned, the increasing number and quality of libraries and the possibility to work with large amounts of data are the main growth drivers of the use of AI in the business environment. In addition, completely new and additional techniques such as supervised machine learning can be applied. In this case, a certain amount of the available total data is used, which is assumed to be very similar to the data for which the algorithms are trained for. An “unlearning” of desired characteristics is thus to be excluded.
To compare: In research laboratories, it is always important to make sure that the algorithms to be applied are well parameterized and suitable for the targeted data set. In business life one often does not want to and cannot spend this time to evaluate every possible parameter set. Moreover, a learning algorithm that learns something unexpected is great for a researcher but cannot be tolerated in business.


In which industries and processes do you see the greatest opportunities for the application of artificial intelligence?

It is safe to say that AI will not be the only solution to each of today’s problems. But there are areas where AI techniques are easier and more accessible than ever, and nothing should prevent developers and system developers from using the former pure research technology in any way that helps them find a good (or if possible the best) solution to their real problems. I would like to emphasize that – also at Hornetsecurity – many procedures from the quantity of AI methods have already been used successfully for years. In the past, however, such techniques were not advertised consciously, whereas today AI is perceived as a quality criteria or at least as an innovation. In general, the application is generally widespread in the area of optimization procedures and is also recommended, since simple heuristics are often not sufficient in terms of quality, but the determination of the optimal solution would not be possible in the desired time due to the complexity of processing times. Suitable learning methods can achieve excellent results in a short time – if you know how to use them wisely. Optimization processes can be found in almost all industries.

And finally: Do you think that artificial intelligence will influence and change IT security?

Yes, absolutely, but in both ways: Not only security research, but also attackers will increasingly use the accessibility of these technologies. With our comprehensive understanding and many years of experience in this field of algorithms, Hornetsecurity is well prepared for this “Arms Race”.

Hornetsecurity receives millions for global growth plans

Hornetsecurity receives millions for global growth plans

Since Hornetsecurity was founded, its sales have gone in only one direction – up. The company is looking to quadruple by 2021.


With an enormous annual growth rate of more than 50%, cloud security provider Hornetsecurity is the market leader in Europe and is now getting ready to enter the U.S. market. The company is the front runner not just in growth figures, but in technology too: Released less than one year ago, the latest product, Advanced Threat Protection, now protects one in every ten users against new threats. These successes have not gone unnoticed.


New investor climbs onboard


“In just one year, the company has developed a new product and successfully established it on the market,” states Hans-Christian Semmler, CEO of HCS Beteiligungsgesellschaft, a holding firm that has invested millions in the company. “Seldom have our analysts seen such fine-tuned workflows, processes and advanced technology,” he continues. Existing investors Verdane Capital and High-Tech Gründerfonds also back the company with sums in the seven-digit range. With these investments, Hornetsecurity will extend its global reach.


“The InvestImpuls funds have achieved their goals, establishing a strong security provider on the market that gives generous returns,” explains Dr. Bert Brinkhaus from EnjoyVenture, fund manager for the Hanover-based fund. As an early-stage investor, the company will now pull out, taking the capital it has generated to help another young technology company get off the ground.


Hornetsecurity already enjoys international success


Over 20 percent of new orders already stem from countries outside the German-speaking region, and the company is now looking to tap the US market to boost this figure significantly.


To prepare for this coming growth, Hornetsecurity has already doubled its staff within one year. “We are well prepared,” says Daniel Hofmann, Managing Director of Hornetsecurity. The aim is to increase the technological lead over the competition. “With this additional staff we want to speed up the development of our current 14 technology projects,” explains Hofmann.

A decade of skyrocketing hornets

A decade of skyrocketing hornets

Hornetsecurity is celebrating! Founded under the name antispameurope ten years ago, the company has been considered as the absolute expert and pioneer in the area of cloud security for many years. Since 2007, Hornetsecurity has genuinely set a record for vertical ascent: The company has now expanded to more than 100 employees and secures data traffic for more than 35,000 companies in over 30 countries worldwide, including numerous renowned names like Dekra, Melitta or Konica Minolta.


It’s a success story made in Hannover, Germany: When Daniel Hofmann and Oliver Dehning founded the company in the summer of 2007, they gave the starting signal for a company that today plays a major role in the German IT security landscape. With a wide range of products in the area of email and web security, Hornetsecurity provides its customers with comprehensive security. The high quality of the solutions combined with an excellent service concept practiced by all employees has meant that the company has been able to enjoy two-digit growth figures for years.


This success should increase even more over the coming years. To this end, Hornetsecurity is steadily investing in new products and markets. But first comes the celebration: Hornetsecurity has invited sales partners, investors and company friends to join them over a period of two days. Visitors will have the opportunity to tour the offices at an open house before a celebration of the company anniversary in the evening, together with employees. Hornetsecurity will hold the Partnerdialog on the following day, an sales partner event which once again promises to have a record numbers of participants. Since the company was founded, the annual event has served as a springboard for intensive information exchange with the sales partners.


“We are very proud of what we have built up over the past ten years,” says Daniel Hofmann, one of the founders and managing directors of Hornetsecurity. “But this still doesn’t mean we can rest on our laurels. On the contrary: We also want to develop Hornetsecurity into one of the most important security providers on the international IT market.”


Encrypted connections – yes or no?

Encrypted connections – yes or no?

Security has become a major issue for everyone by now. Be it security in your own country, at home, or in daily communication via the Internet. When we feel safe, we can go about our lives without worries. When it comes to daily communication via the Internet, the word “encryption” is frequently heard. Does encryption really provide protection against curious pilferers, or does it merely give us a feeling of safety while cybercriminals use it as a hidden back door?


Encryption explained in simple terms

The encryption of Internet connections has apparently been well received by the public for years already: according to Google, 80 percent of all websites are already protected. Many messaging services also now rely on encrypted communications. But how are data streams encrypted in the first place?


Explained in simple terms: The term SSL/TLS encryption is often mentioned in relation to this topic. Laypersons do not necessarily understand what this means. The term here refers to transport encryption. This means that the data itself is not encrypted, but is transmitted through an encrypted channel. Before the message is transferred, the communicating servers agree on an encryption standard, also referred to as the Cipher Suite. Consideration is always given to the mutually highest encryption standard for the negotiation. The goal is that only these two servers can exchange data with each other.
Whether or not a website offers this kind of transport encryption has been easy to determine ever since the secure hypertext transfer protocol was introduced: If the URL starts with an “https:”, the website is encrypted. Other indicators are a lock and the green mark. If, for example, a user logs onto a website as shown in the displayed image, the entered data is forwarded to the destination server via an encrypted channel that confirms the correctness or the identity of the user.




Source: Amazon


SSL and TLS – which is which?

TLS is the successor to SSLv3. The slightly improved TLS 1.1 version has, however, not been successful on the market. The significantly more relevant 1.2 version, which Hornetsecurity has already been supporting for years, offers decisive added security value with, among other things, Perfect Forward Secrecy (PFS) and the corresponding Cipher Suites (Elliptic Curve, Diffie Hellman), given appropriate and secure server configuration. Hornetsecurity can even restrict TLS communication to Secure Cipher Suites and Trusted Certs to raise the security level even higher.



The 1.3 version of TLS can currently be viewed as a working draft at https://tools.ietf.org/html/draft-ietf-tls-tls13-11. This version is expected to include major changes and improvements in the cryptographic hash functions and the handshaking protocol. From a security point of view, it will be good if TLS 1.3 is distributed more quickly after final release than was the case with TLS 1.2, which has been available since 2008.


The back door for malware?

Data streams encrypted via TLS/SSL thus cannot be viewed by third parties, which makes sense after all. On the downside, this allows the undetected transmission of malicious code, since there is no intrinsic analysis for malware.


To counteract this, so-called SSL scanning can be used. Here the connection is interrupted and a fake server certificate, by which the target server is authenticated against the user’s server, is implanted. This approach is comparable to a man-in-the-middle attack. The problem with this method is that third parties can read the unencrypted content. To ensure the browser does not take this as an attack, a one-time incorporation of the root certificate of the runtime-generated certificate for the requested website in the browser’s trust store is required. This is done automatically in large companies via software distribution. SSL scanning or “https breaking” may constitute a conflict between data security and data protection. If companies intend to use SSL scanning, therefore, they should protect themselves legally in advance.
Very often companies do not use this method of analyzing encrypted connections. On the one hand, for reasons of data protection; on the other hand, the computational effort required has till now been too high and too costly. In recent years, however, the overhead (computational effort) incurred by encrypting and decrypting the data, as well as negotiating the connection parameters for TLS, has been drastically reduced by targeted hardware and software measures.


Originally at a level of up to 20 percent, today, given appropriate configuration, it is in the low single-digit percent range, for example with CPU surplus load.


On the hardware side, more powerful CPUs complemented by appropriate computing operation units (e.g. for AES) are now standard for servers, enabling many decryption operations to be executed in parallel and in a high-performance manner.


Many global software libraries have now enormously accelerated the decryption and reduction of network latency, which, given appropriate server configuration, can significantly reduce the overhead.


The website categorization used in the Hornetsecurity web filter is a secure alternative to SSL scanning. It deliberately refrains from breaking up the encrypted channel, since the fine-grained classification of the websites helps minimize the risk using appropriate policies. All the websites are classified into categories. The basis for this is the user-accessible content on the website. Assigning a website to a category gives it a sort of rating. This rating provides information on whether or not it is a safe website. Based on this rating and the preconfigured policies, the web filter service either blocks the requested website and the user receives a warning page, or it is delivered and displayed.



With the help of the categories and other features, company compliance policies can be implemented at both the user and group or enterprise level. This allows administrators to block certain content or allow the use of social networks only during the lunch break. Hornetsecurity also offers its customers SSL scanning as a supplement to its comprehensive web filter service. IT administrators can activate it on their own.




Encryption is positive and recommendable, in principle. The security aspect, however, should not be neglected, as encrypted connections do not automatically guarantee protection against malware. Encryption poses a threat to companies only when this aspect is given little or no consideration.
It is therefore advisable to regularly examine the encrypted connection and develop a watertight security concept.
While web filter categorization provides options for protecting web traffic even when using encrypted connections, the “https breaking” method can also be used on request. Hornetsecurity offers both methods. Most customers make rather sparing use of SSL scanning, since the fine-grained categorization described above provides significant added value.


Curious? Additional information: