Figure 3: Temporal Mirai Infections — We estimate of the number of Mirai-infected devices over time by tracking the number of
hosts actively scanning with Mirai fingerprint at the start of every hour. Mirai started by scanning Telnet, and variants evolved to
target 11 additional protocols. The total population initially fluctuated between 200,000–300,000 devices before receding to 100,000
devices, with a brief peak of 600,000 devices.
Figure 4: Bootstrap Scanning — Mirai scanning began on Au-
gust 1, 2016 from a single IP address in a bulletproof hosting
center. Mirai infection spread rapidly with a 76-minute dou-
bling time and quickly matched the volume of non-Mirai Telnet
scanning.
4.1
Bootstrapping
We provide a timeline of Mirai’s first infections in Fig-
ure 4. A single preliminary Mirai scan occurred on Au-
gust 1, 2016 from an IP address belonging to DataWagon,
a U.S.-based bulletproof hosting provider [48]. This
bootstrap scan lasted approximately two hours (01:42–
03:59 UTC), and about 40 minutes later (04:37 UTC) the
Mirai botnet emerged. Within the first minute, 834 de-
vices began scanning, and 11K hosts were infected within
the first 10 minutes. Within 20 hours, Mirai infected
64,500 devices. Mirai’s initial 75-minute doubling time
is outstripped by other worms such as Code Red (37-
minute doubling time [70]) and Blaster (9-minute dou-
bling time [10]). Mirai’s comparatively modest initial
growth may be due to the low bandwidth and computa-
tional resources of infected devices, a consequence of the
low-accuracy, brute-force login using a small number of
credentials, or simply attributable to a bottleneck in loader
infrastructure.
4.2
Steady State Size
We observed multiple phases in Mirai’s life: an initial
steady state of 200,000–300,000 infections in September
2016; a peak of 600,000 infections at the end of Novem-
ber 2016; and a collapse to roughly 100,000 infections at
the end of our observation window in late February 2017
(Figure 3). Even though hosts were initially compromised
via a simple dictionary attack, Mirai was able to infect
hundreds of thousands of devices. This is similar in scale
to historical botnets such as the prolific Srizbi spam bot-
net (400,000 bots [83]), which was responsible for more
than half of all global botnet spam [35], and the Carna
botnet (420,000 bots [38]), the first botnet of IoT devices
compromised using default credentials.
While the original Mirai variant infected devices by
attempting Telnet and SSH logins with a static set of
credentials, later strains evolved to scan for other types of
vulnerabilities. Most notably, Mirai-fingerprinted scans
targeting TCP/7547, the standard port for CWMP, began
appearing in our dataset on November 26, 2016. Mirai
compromised CWMP devices through an RCE exploit
in a SOAP configuration endpoint [41]. The new attack
vector led to a renewed spike of infections (Figure 3). The
decay that followed may be explained best by Deutsche
Telekom patching routers soon after the attack [21]. The
non-immediate decay may have been due to the devices
requiring a reboot for the patch to take effect.
To better understand the decrease in Mirai bots from
a steady state of 300,000 devices down to 100,000 de-
vices, we examined the ASes in which raw population
decreased most significantly between September 21, 2016
and February 28, 2017. The ASes with the largest reduc-
tion in devices were: Telefónica Colombia (−38,589 bots,
−98.5%), VNPT Corp (−16,791 bots, −90.2%), and Claro
S.A. (−14,150 bots, −80.2%). This suggests potential ac-
tion by certain network operators to mitigate Mirai. While
a handful of ASes increased in prevalence over time, no-
1098 26th USENIX Security Symposium
USENIX Association
tably Telefónica de Argentina (+3,287 bots, 3,365.1%)
and Ecuadorian telecom company CNT EP (+1,447 bots,
116.4%), the total increase (+10,500 bots) across all ASes
is eclipsed by the overall decrease (−232,698 bots).
Country
Mirai
Infections
Mirai
Prevalence
Telnet
Prevalence
Brazil
49,340
15.0%
7.9%
Colombia
45,796
14.0%
1.7%
Vietnam
40,927
12.5%
1.8%
China
21,364
6.5%
22.5%
S. Korea
19,817
6.0%
7.9%
Russia
15,405
4.7%
2.7%
Turkey
13,780
4.2%
1.1%
India
13,357
4.1%
2.9%
Taiwan
11,432
3.5%
2.4%
Argentina
7,164
2.2%
0.2%
Table 3: Geographic Distribution — We compare countries
that harbored the most infections on 09/21/2016 — when Krebs
on Security was attacked — with countries that hosted the most
telnet devices on 07/19/2016 prior to Mirai’s onset. Mirai infec-
tions occurred disproportionately in South America and South-
east Asia, accounting for 50% of infections.
4.3
Global Distribution
In order to understand where Mirai infections were geo-
graphically concentrated, we calculated the geolocation
of Mirai bots actively scanning at 00:00 UTC on Septem-
ber 21, 2016 (during the first Krebs on Security attack
and Mirai’s peak steady state infection period). As shown
in Figure 3, the bulk of Mirai infections stemmed from
devices located in Brazil (15.0%), Columbia (14.0%), and
Vietnam (12.5%). Mirai also exhibited a concentrated net-
work distribution — the top 10 ASes accounted for 44.3%
of infections, and the top 100 accounted for 78.6% of
infections (Table 4). Compared to the pre-Mirai global
distribution of telnet hosts, Mirai consisted of a dispropor-
tionate number of devices concentrated in South America
AS
%
AS
%
Telefónica Colombia 11.9%
Türk Telekom
3.2%
VNPT Corp.
5.7%
Chunghwa Telecom
†
2.9%
Claro S.A.
5.4%
FPT Group
2.8%
China Telecom
†
4.0%
Korea Telecom
†
2.6%
Telefônica Brasil
3.4%
Viettel Corporation
2.5%
Table 4: AS Distribution — We list the 10 ASes with the largest
number of infections on 09/21/2016, the day Krebs on Security
was attacked and the initial peak infection. The top 10 ASes
accounted for 44.3% of infections, but only three of the top 10
are within the top 100 global ASes (denoted
†
) [16].
and Southeast Asia. This is possibly due to biases in man-
ufacturer and market penetration in those regions. This
is a stark contrast from many prior worms, which were
primarily concentrated in the U.S., including CodeRed
(43.9%), Slammer (42.9%), Witty (26.3%), and Conficker
(34.5%) [82]. Mirai largely infected regions the black
market considers to be low-quality hosts used for proxies
and DDoS [88] and may have limited potential avenues
for monetization.
We explored the dynamism of Mirai’s membership by
examining the correlation between the top Mirai scanning
ASes over time. We find that Mirai displayed general
stability outside of the rapid growth phase in September
2016 and when CWMP exploits were introduced in late
November (Figure 5a). During the September growth
period, the number of IPs in each AS rose across the
board with a few outliers. The growth of IPs belonging
to Telefónica Colombia exceeded all other ASes and was
eventually responsible for the largest number of Mirai
infections. Other new introductions to the top 10 included
India’s Bharti Airtel and Bharat Sanchar Nigam Limited,
Brazil’s Claro S.A., and Korea Telecom.
CWMP emergence also disrupted general network dis-
tribution stability. Between November 25–27, 7 of the
top 10 ASes decreased in rank to give rise to several previ-
ously unseen European ASes (e.g., Eircom and TalkTalk).
Their appearance was short-lived; by December 10, 2016,
these ASes fell back down in population. This suggests
that the vulnerable population of the CWMP exploit were
concentrated in Europe, but prompt patching returned
Mirai back to its original concentration in South Amer-
ica and Southeast Asia. The longterm stability of Mirai
ASes and geolocation demonstrates that Mirai has not
expanded significantly in the scope and scale of devices
that it infects. However, as the transient CWMP exploit
demonstrates, new infection vectors had the potential to
quickly add to Mirai’s already sizable membership.
4.4
Device Composition
While cursory evidence suggested that Mirai targets IoT
devices — Mirai’s dictionary of default usernames and
passwords included routers, DVRs, and cameras [50],
and its source compiled to multiple embedded hardware
configurations — we provide an in-depth analysis of both
the intended device targets and successful infections.
To understand the types of devices that Mirai targeted,
we analyzed the credentials hardcoded into the binaries
we collected. We observed a total 371 unique passwords,
and through manual inspection, we identified 84 devices
and/or vendors associated with these passwords. Many
passwords were too generic to tie to a specific device (i.e.,
“password” applies to devices from a large number of
manufacturers), while others only provided information
USENIX Association
26th USENIX Security Symposium 1099