The evolution of Mirai botnet scans over a six-year period

Abstract

The proliferation of Internet of Things devices has resulted in an increase in security vulnerabilities and network attacks. The Mirai botnet is a well-known example of a network used for malicious activities, detected for the first time by the white-hat research group in August 2016. Since then, Mirai initiated massive DDoS attacks by scanning for and exploiting vulnerabilities in network devices. In this paper, we investigate the evolution of the Mirai botnet over a six-year period, analyzing the TCP SYN packets using Mirai signature, i.e. with TCP sequence number equal to the destination IP address. Our analysis stands out as we extensively investigate the evolution of Mirai scans over a prolonged six-year period (2016–2022). Our findings reveal that the Mirai signature is still implemented by malicious actors today, in contrast with previous works. Moreover, we observe that the number of hijacked devices and TCP SYN packets involved in the scanning phase have increased over time. We also confirm that cybercriminals generally target Telnet port 23, followed by fewer requests on Telnet port 2323. Conversely, the number of probes on the SSH ports decreases over time, followed by a subsequent increase in 2022. Lastly, we identify several ports that had not been contacted until 2018 but have since received a large number of TCP SYN packets that verify the Mirai’s signature. These ports are linked with the emergence of new variants of the Mirai botnet.