Mirai-like Botnet One Year Review and a New Website!

In February 2017, I started my passive honeypot and began listening for all incoming network traffic. As the months passed, I saw numerous exploit attempts, constant port scans, and other suspicious traffic. It wasn’t until October that, with the help of Dr. Neal Krawetz, I started cataloging Mirai-like botnet traffic specifically.

What does Mirai-like mean?

Incoming scans from Mirai-like botnets have a very distinct fingerprint in the network traffic generated by infected hosts. The TCP sequence number will always equal the IP address of the target device. This intentional behavior is documented in the original Mirai source code, shown in the snippet below:

Snippet of Mirai source code

Typically, the target IP address is encoded in decimal (numeric) format. As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly as shown in the example below:

Example showing TCP Sequence Number = Destination IP address

Your logs may vary and instead record the sequence number in hexadecimal format. Either way, once converted to an IP address, the pattern is clearly established.

Dr. Krawetz shared his thoughts on this technique, “This is actually kind of brilliant. Each bot slings out packets and doesn’t store any information. When a response comes back, the botnet can identify the sender by the sequence number. ”

Once the fingerprint of the Mirai-like botnet was established, I was able to review the IP addresses found my logs for further patterns. Late in October 2017, I shared my findings of a botnet consisting of EnGenius routers.

Instead of continuing to isolate specific devices in the botnet and the volume of traffic generated, I began cataloging new unique IP addresses while noting the network provider (ASN) and country they came from. This allowed me to gauge the growth rate and estimate the size of active botnets. Subsequently, I started sharing my Mirai-like botnet statistics daily on Twitter.

One Year of Data Collected

New unique IP addresses seen Mirai-like botnet from 2017-02-19 to 2018-02-19

Reviewing the entire dataset I collected, the overall Mirai-like botnet volume averaged around 500 new unique IP addresses per day in March 2017 and steadily declined until September 2017. After this point, a surge in botnet activity was observed. The most new unique IP addresses I saw in a single day was 1,384 on November 29.

The explosion in activity was largely attributed to the Satori botnet which enslaved devices in Argentina, Egypt, Colombia, and Tunisia. This botnet grew exponentially after a zero day exploit was used to target Huawei HG532 routers. Numerous devices from Japan were also found after a UPnP exploit targeting Realtek devices was used.

During the height of the activity between November 22nd and December 7th, those countries accounted for a large share of the new unique IP addresses found.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by Country

Similarly, network providers (ASNs) from Colombia, Egypt, and Argentina combined for 39% of all new unique IP addresses seen during this time period.

New Unique IPs seen in Mirai-like botnet from 2017-11-22 to 2017-12-07 by ASN

Growing Pains

The challenge of collecting and sharing the Mirai-like botnet data every day quickly became apparent. A publicly shared Google Sheet was not a long term option, so I asked my Twitter followers for assistance building a proper solution.

Alex Rhodes rose to the challenge and offered his time and expertise to build a database backend to store the data. He also designed and implemented a website for sharing the botnet data. Alex is software engineer in the aerospace industry and is currently working towards a Master’s degree in Cybersecurity at Syracuse University.

The new website is easy to configure and manage and I’m truly grateful for the finished product Alex has delivered.

Mirai.BadPackets.net

New website: mirai.badpackets.net

The new website offers filtering options for every field, including IP Address, Country, ASN, and date range. It also expands on the features formerly offered in the spreadsheet, including the following lookups:

IP address (DomainTools)
ASN (Hurricane Electric BGP Toolkit)
Shodan
Censys
ZoomEye

In addition to the main page, which is updated daily, we can also filter by the top ASN and country for a specified time period. Using this, we can review the all-time leaders for the entire year of Mirai-like botnet data collected.

China dominated the count of unique IPs seen with 27,672. India and Brazil both had over 10,000 unique IPs each. Japan and Argentina were close behind with over 9,000 unique IPs each. Russia and the United States were also among the top 10 countries with 7,801 and 5,045 unique IPs, respectively.

Top 10 Country

Continuing the trend, network providers China Telecom and China Unicom led in total overall volume, combining for a total of 23,243 unique IPs seen. Coming in third place was Telefonica de Argentina with 7,576 unique IPs. Rounding out the top five network providers in unique IPs seen was Rostelecom (Russia) with 5,407 and Tigo Colombia with 3,301.

Top 10 ASN

During the one year of data collection, I saw botnet traffic from 179 of the 195 recognized countries in the world. IP addresses registered to 5,581 unique network providers (ASNs) were also observed. It was clear that Mirai-like botnet activity was truly worldwide phenomenon.

Closing Remarks

The unique IPs seen by my honeypot is only a tiny fraction of those participating in active botnets. In the case with Satori botnet, other security researchers estimate the total size peaked around 650,000 infected devices.

The data provided via the new website will remain free and open to the public. I will continue to update it daily with my latest available data.

Follow me on Twitter to receive my daily Mirai-like botnet statistics update of new unique IPs seen, top ten countries and top five ASNs seen in the Mirai-like botnet.

Leave a Reply