explaingit

jgamblin/mirai-source-code

9,305CAudience · researcherComplexity · 4/5LicenseSetup · hard

TLDR

The leaked source code of the Mirai botnet, republished with documentation for defensive security research, studying how malware spreads, writing detection rules, and building defenses against DDoS attacks.

Mindmap

mindmap
  root((Mirai Botnet))
    Components
      Bot scanner
      Command server
      Loader
      Attack modules
    How it works
      Finds IoT devices
      Default passwords
      DDoS flood traffic
    Research uses
      Detection rules
      Protocol analysis
      Defense building
    Safety
      Isolated VM only
      No real networks
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

Things people build with this

USE CASE 1

Study how Mirai scans for and infects IoT devices that still use default factory passwords.

USE CASE 2

Write Snort or Suricata detection rules by analyzing Mirai's network protocol from the source.

USE CASE 3

Understand the command-and-control architecture used by large botnets for academic or defensive work.

USE CASE 4

Build defenses against DDoS attacks by learning exactly how Mirai generates and directs flood traffic.

Tech stack

C

Getting it running

Difficulty · hard Time to first run · 1day+

Must be run in a fully isolated VM with no public internet access, antivirus tools will flag the downloaded files as malware.

Provided for security research only, running this against real devices or networks is illegal, and the author makes no license claim over malware originally written by others.

In plain English

This repository contains the leaked source code for the Mirai botnet, a piece of malware that became notorious in 2016 when it was used to launch some of the largest internet outages recorded at the time. The original code was written anonymously and released publicly on a hacking forum, this repository is a fork that repackages it with documentation for security research purposes. Mirai works by scanning the internet for home routers, security cameras, and other internet-connected devices that still use their factory-default passwords. When it finds one, it logs in automatically and installs itself. The infected device then connects to a command-and-control server and waits for instructions. When many thousands of infected devices receive the order at once, they all flood a target with traffic, knocking it offline. This kind of attack is called a distributed denial-of-service attack. The repository includes the main bot code that runs on infected devices, the command-and-control server that sends instructions, a loader that spreads the infection, and supporting scripts. There is also the original forum post from the author explaining the system. The README is explicit that the code is provided for defensive security research only: studying how botnets spread, writing detection rules for security tools, understanding the communication protocol between bots and servers, and building defenses. Running it against real devices or networks is illegal. The README recommends that anyone experimenting with the code do so inside an isolated virtual machine setup with no connection to the public internet. Some antivirus programs flag the downloaded files as malware, which the README acknowledges and flags as a caution.

Copy-paste prompts

Prompt 1
I'm a security researcher studying the Mirai botnet source code. Explain how the scanner identifies vulnerable IoT devices and what default credentials it tries.
Prompt 2
Help me understand the command-and-control protocol in the Mirai source code so I can write Snort detection rules for botnet C2 traffic.
Prompt 3
I want to study Mirai's attack modules in an isolated VM with no public internet. What network and virtualization configuration do I need to do this safely?
Prompt 4
Walk me through the loader component in the Mirai source code and explain the steps it uses to propagate the infection from one device to another.
Open on GitHub → Explain another repo

← jgamblin on gitmyhub — every repo by this author, as a profile.

Verify against the repo before relying on details.