Threat Report Explores Threat Intelligence Sharing & Mirai, the IoT Botnet

This blog post was written by Vincent Weafer.

In the McAfee Labs Threats Report: April 2017, published today, we explore two key topics.

Following an announcement by the Cyber Threat Alliance of its formal incorporation and the release of a threat intelligence sharing platform, we provide some perspective about threat intelligence sharing. The story provides a detailed analysis of the background and drivers of threat intelligence sharing, the various components of threat intelligence and its sources, how mature security operations can use this information, five critical challenges that need to be overcome, and the evolving sharing models that have appeared in the market.

To move threat intelligence sharing to the next level of efficiency and effectiveness, the story explains why improvement is needed in three areas:

  • We need to simplify event triage and provide a better environment for security practitioners to investigate high-priority threats.
  • We need to do a better job establishing relationships between indicators of compromise so that we can understand their connections to attack campaigns.
  • We need a better way to share threat intelligence among our own products and with other vendors.

You can learn about integrating threat intelligence in McAfee environments by reading the Operationalizing Threat Intelligence solution brief.


On October 21, 2016, the domain name service company Dyn was attacked with a massive and complex distributed denial-of-service attack. At its peak, Dyn was flooded by 1.2Tbps of traffic, the highest volume of DDoS traffic ever recorded. The analysis of the attack confirmed that the DDoS traffic originated from Internet of Things devices infected by the Mirai botnet.

In our second story, we examine the Mirai botnet, including its architecture and inner workings; its attack process, including the many attack vectors it can use to flood targets; and its evolution.

During our analysis of Mirai, we set up a honeypot masquerading as an unprotected, publicly accessible IoT device to see if we could attract a Mirai incursion. In fewer than five minutes, we registered the first attempted attack. Watch the video of the honeypot console, showing how quickly the simulated IoT device was discovered and attacked.

You can learn how to secure IoT devices and how McAfee products can protect systems and networks from IoT device attacks by reading the Secure IoT Devices to Protect Against Attacks solution brief.


Finally, we provide rich statistical detail about Q4 threat activity. Here are some highlights:

  • The number of new malware samples in Q4—23 million—dropped 17% from Q3. However, the overall count grew 24% in 2016 to 638 million samples.
  • The number of new ransomware samples fell 71% in Q4, mostly due to a drop in generic ransomware detections, as well as a decrease in Locky and CryptoWall. The number of total ransomware samples grew 88% in 2016.
  • Mobile malware. The number of new mobile malware samples declined by 17% in Q4. But total mobile malware grew 99% in 2016.
  • Mac OS malware. Although still small compared with Windows threats, the number of new Mac OS malware samples grew 245% in Q4, due to adware bundling. Total Mac OS malware grew 744% in 2016.
  • We counted 197 publicly disclosed security incidents in Q4 and 974 publicly known security incidents in 2016.

The McAfee Labs Threats Report: April 2017 is available here.

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.


More from McAfee Labs

Back to top