Over the last few weeks, a series of powerful hacker attacks powered by the malware known as Mirai have used botnets created of internet-connected devices to clobber targets ranging from the internet backbone company Dyn to the French internet service provider OVH. And just when it seemed that Mirai might be losing steam, new evidence shows that it's still dangerous—and even evolving.

Researchers following Mirai say that while the number of daily assaults dipped briefly, they're now observing development in the Mirai malware itself that seems designed to allow it to infect more of the vulnerable routers, DVRs and other internet-of-things (IoT) gadgets it's hijacked to power its streams of malicious traffic. That progression could actually increase the total population available to the botnet, they warn, potentially giving it more total compute power to draw on.

"There was an idea that maybe the bots would die off or darken over time, but I think what we are seeing is Mirai evolve," says John Costello, a senior analyst at the security intelligence firm Flashpoint. "People are really being creative and finding new ways to infect devices that weren’t susceptible previously. Mirai is not going away."

Mutating Malware

Flashpoint researchers say that Mirai seems to have been constructed as more of an updating software platform capable of adding new features and components over time rather than a one-off attack—hackers can add more functionality to it and then distribute that new version. That's hardly unprecedented in botnet malware, but requires more resources and sophistication to build. The result is that Mirai's operators can add more devices to its horde of machines that generate waves of malicious traffic—what's known as a distributed denial of service or DDoS attack—without having to build new malware from the ground up. Mirai has begun taking advantage of its properties as a malware "framework,” says Zach Wikholm, a research developer at Flashpoint. “The older type of malware was built for a specific purpose, there was no easy way to expand it. This one’s different and we’re already starting to see an evolution happen. It looks like it’s built for more of a long-term thing.”

Wikholm says Flashpoint has seen indications that hackers have been able to tweak the Mirai malware so it can exploit the same types of IoT vulnerabilities it's been targeting to infect additional products. Mirai compromises devices by taking advantage of the fact that some manufacturers have sold IoT units that all share the same default administrative password, essentially allowing hackers to walk right in. But Mirai has always listed credentials that don't match the devices currently being exploited in addition to listing the ones that do. Now Flashpoint researchers are seeing a new version of the Mirai malware built to connect to devices using these other credentials. Flashpoint hasn't yet been able to trace which devices could be compromised, but the workaround seems clearly aimed at allowing assimilation of new units into the botnet.

Mirai was publicly released as a piece of open-source software in late September by a hacker known as “Anna-senpai,” who claimed he or she had once been able to harness 380,000 IoT devices for Mirai attacks out of an initial population of roughly 500,000. That number dropped to more like 300,000 after the attack on the website of independent security journalist Brian Krebs, because ISPs began "cleaning up their act," as Anna-senpai wrote on Hackforums, blocking malicious traffic from some infected devices. Open-sourcing the botnet made Mirai attacks more likely, but it also allowed more operators to start using it—currently about 25 distinct individuals or groups according to Flashpoint. When multiple hackers have access to a botnet, it splinters, splitting its total attack power among its operators' different targets. In Mirai's case, researchers found that different attackers, jostling for a bigger share, have worked to lock down devices and carve out their own portions of the botnet so only they can use them for attacks.

Infighting Among the Infected

Researchers at Flashpoint wrote last week that Mirai's strength might be permanently waning because of this fractious war for resources. Particularly on US election day last week, the researchers say that Mirai attacks dropped noticeably and the ones that were going on were small.

The factions competing to use the Mirai botnet's resources have even resorted to turning their DDoS attacks on each other to try to make up ground. That pattern of infighting is one botnet researchers have seen before, Flashpoint's Wikholm says. "When we looked at the logs and we could see that they were attacking each other, there was a little bit of a chuckle."

But the frequency of Mirai attacks bounced back after the election, particularly going after gaming companies and services like Minecraft servers. If Mirai's evolving software and new methods of connecting to vulnerable devices can allow the botnet population to grow, there will be more infected devices to go around, and perhaps Mirai could even reattain its previous power—at least until different factions degrade it again.

Even though attackers can't currently generate the massive traffic cannons they once could with Mirai, researchers at Flashpoint and the internet service provider Level 3 are still observing average attacks that harness more than 90,000 compromised devices on targets like gaming services and infrastructure companies. "It doesn’t appear that any of these warring states has the power to launch an attack like we saw with Krebs, OVH, or Dyn, but they can make life very very difficult for a lot of hosts," Flashpoint's Costello says. "Not in the scale of a single attack, but in the longevity, just doggedly and repeatedly attacking."

Dozens of DDoSes Per Day

Though ISPs have been working to get a handle on Mirai traffic, as Anna-senpai noted, the botnet's speed and ability to launch attacks on very specific parts of the internet's infrastructure (like the assault on Dyn that particularly targeted the Domain Name System or DNS servers that translate domain names into IP addresses) has made defense challenging. "We reported five months ago about the creation of these botnets," says Dale Drew, the chief security officer of Level 3. "That behavior analytics really helped us get an edge on early warning detection; however, the scale of this is something that we’re struggling with." Dale says that Level 3 has observed as many as 31 Mirai attacks per day and never less than one a day in the weeks since it first appeared online.

On the brighter side, ISPs and other Internet infrastructure companies are starting to consider how to invest to improve their defenses. Researchers say that increased industry collaboration and IoT security awareness could be positive outcomes of battling Mirai. "Botnets like Mirai are helping all sides of this arms race identify obvious low-hanging fruits in the embedded space," says Ang Cui, the CEO and founder of IoT security company Red Balloon. "This is a headache for us now, but it will inevitably reduce the reservoir of trivially vulnerable devices for whatever botnet comes after Mirai."

"Yes," he adds. "There will be more."

Mirai may not be the first or the last, but it's expanding what the security community expects from IoT malware. Its design is clever, if devious. Flashpoint's Costello calls it "exceptional" in its ability to infect and recruit more devices into its zombie mob of vulnerable gadgets.

"People realized there was something going on, but no one understood the full scale," says Costello. "This one was a wakeup call to a lot of people."