Mirai vs. Nitol – In Depth Comparison

Mirai and Nitol are two of the most virulent malware threats the online security community has ever seen to date. Nitol was first detected in China in 2012 and quickly infected Windows PC units inside the factory where they were manufactured. Mirai made headlines in 2016 for attacking Dyn, a well-known DNS provider and also causing havoc with dozens of well-known websites.

Like retro monster movies, these two malicious botnets tower ominously above the corporate and IoT landscape. And like Mothra and Godzilla, the debate rages on: Who dominates among malware monsters, Mirai or Nitol?

distributed denial of service (DDoS) attack exhausts server resources by initiating a large number of processing tasks. A website under attack becomes inaccessible to both users and IT ops teams alike. Mirai is DDoS-focused, while Nitol is  more “versatile”.

In 2012, Microsoft’s security team discovered Nitol-infected PCs were being sold in China. Its intrusion prevention system (IPS) estimated the attack contained more than 350,000 botnets. Even though Microsoft was able to put an end to the problem quickly, Nitol never really went away. It continues to be a major and persistent problem. Infected machines currently account for over 59 percent of all attacking botnet IPs.

Nitol is seen in DDoS attacks but also has other uses besides DDoS. Along with a handful of other commonly seen malware (like Dirtjumper and PCRat), Nitol is especially prevalent in China, Vietnam and the United States. Recent data from our security researchers shows that Nitol is responsible for more than half of attack traffic originating from South Korea.

Mirai, on the other hand, is a territorial malware that often infects Linux IoT devices like CCTV cameras and personal routers. Home IoT tech is largely insecure and that’s how Mirai spreads. An average attack will include more than 100,000 infected devices. Not as big as Nitol, admittedly, but big enough to take down a reliable CDN provider like Dyn and disrupt popular websites like Twitter, Netflix and Spotify.

Mirai is exceptionally predatory. Not only does it scan IP addresses across the internet looking for insecure devices, but it systematically removes and replaces preexisting malware. According to recent data, close to 50,000 unique IPs hosted Mirai-infected devices. The malware casts a wide net and your website could be an innocent victim. Once Mirai infects an IoT network, it is in position to launch a full-on DDoS attack.

The infographic below breaks down the specifics of each botnet. Unfortunately, there are no winners in this head-to-head comparison. Both Mirai and Nitol are bad news.

Finally, if you’re looking for a cool poster on Mirai vs. Nitol, check out our movie poster.


Keep your finger on the pulse

Sign up for updates from Imperva, our affiliated entities and industry news.