ID
Max Lookup Vol.
Notes
6
61,440
Attacked Dyn, other gaming related attacks
1
58,335
The original botnet. Attacked Krebs on Security, OVH
2
36,378
Attacked Lonestar Cell. Scans TCP/7547 and TCP/5555, removes DoD from blacklist, adds DGA
13
9,657
—
7
9,467
Scans TCP/7547
Table 8: Cluster Size Estimate and Characteristics — We highlight the top five clusters by max single-day lookup volume within
a large U.S. ISP, which provides an indicator of their relative size. Each cluster is additionally labeled with observed evolutionary
patterns and associated attacks.
dmim.ir
bklan.ru
angoshtarkhatam.ir
youporn.wf
dibamovie.biz
dibamovie.site
ip-51-255-103.eu
xex-pass.com
diamondhax.com
piratetorrents.net
anabolika.bz
elektro-engel.de
strongconnection.cc
moreoverus.com
namlimxanh.net.vn
kleverfood.vn
tamthat.com
amgauto.vn
ngot.net
dacsanthitchua.com
herokids.vn
santasbigcandycane.cx
irisstudio.vn
joomlavision.com
alexander-block.ru
lr-top.ru
infonta.ru
avtotyn.ru
sert-cgb.ru
igm-shop.ru
osinniki-tatu.ru
food-syst.ru
taylor-lautner.ru
upfarm.ru
dardiwaterjet.ru
general-city.ru
titata.ru
video-girle.ru
hotelkhiva.ru
firstclaz-shop.ru
pornopokrovitel.ru
sl22.ru
childrens-health.ru
poliklinikasp.ru
videostrannik.ru
domisto.ru
pavelsigal.ru
russianpotatoes.ru
wwrf.ru
sims-4.ru
daf-razbor.ru
tomlive.ru
stt-spb.ru
mp3impulse.ru
securityupdates.us
kia-moskva.ru
kiditema.ru
avtoatelie-at.ru
dom-italia39.ru
shokwave.ru
vkladpodprocenti.ru
5153030.ru
hyrokumata.com
polycracks.com
absentvodka.com
mufoscam.org
analianus.com
rutrax.ru
voxility.org
voxility.com
voxility.ro
voxility.net
voxility.mobi
investor-review.com
xf0.pw
gramtu.pl
q5f2k0evy7go2rax9m4g.ru
bebux.net
ip-149-202-144.eu
69speak.eu
apkmarket.mobi
steamcoin24.ru
keycoins.ru
keygolds.ru
skincoin.ru
walletzone.ru
playerstore.ru
skinplat.ru
skincoin24.ru
keyzet.ru
muplay.ru
tradewallet24.ru
gamewallet.ru
keydealer.ru
steamon.ru
gowars.ru
boatnetswootnet.xyz
tradewallet.ru
teamcoin.ru
gameshoper.ru
gamegolds.ru
sillycatmouth.us
kernelorg.download
disabled.racing
lateto.work
occurelay.net
dopegame.su
sipa.be
bitcoinstats.com
bluematt.me
bitnodes.io
elyricsworld.com
emp3world.com
boost-factory.com
infoyarsk.ru
aodxhb.ru
qlrzb.ru
zogrm.ru
zosjoupf.ru
txocxs.ru
nrzkobn.ru
mehinso.ru
fastgg.net
alexandramoore.co.uk
infobusiness-eto-prosto.ru
timeserver.host
party-bar66.ru
aaliya.ru
jealousyworld.ru
sony-s.ru
agrohim33.ru
wapud.ru
kinosibay.ru
gam-mon.ru
svoibuhgalter.ru
udalenievmiatin.ru
kopernick.ru
5d-xsite-cinema.ru
bocciatime.ru
kvartplata1.ru
receptprigotovlenia.ru
kunathemes.com
chiviti.com
intervideo.top
intervideo.online
smsall.pk
dyndn-web.com
checkforupdates.online
myfootbalgamestoday.xyz
srrys.pw
tr069.online
novotele.online
soplya.com
tr069.support
kciap.pw
kedbuffigfjs.online
mziep.pw
binpt.pw
jgop.org
xpknpxmywqsrhe.online
zugzwang.me
nuvomarine.com
gettwrrnty.us
rippr.club
netwxrk.org
servdiscount-customer.com
layerjet.com
proht.us
middlechildink.com
zeldalife.com
playkenogamesonline.com
brendasaviationplans.xyz
thcrcz.top
stbenedictschoolbx.org
hexacooperation.com
e3ybt.top
grotekleinekerkstraat.nl
critical-damage.org
zvezdogram.com
3200138.com
ipeb.biz
blockquadrat.de
my2016mobileapplications.tech
nerafashion.com
centurystyleantiques.com
madlamhockeyleague.com
realsaunasuit.com
cloudtechaz.net
dumpsterrentalwestpalmbeachfl....
ok6666.net
happy-hack.ru
germanfernandez.cl
kcgraphics.co.uk
thqaf.com
addsow.top
semazen.com.tr
doki.co
kentalmanis.info
rencontreadopoursitedetours.xyz
nextorrent.net
2ws.com.br
geroncioribeiro.com
gideonneto.com
drogamedic.com.br
pontobreventos.com.br
expertscompany.com
woodpallet.com.br
pontobreventos.com
acessando.com.br
2world.com.br
escolavitoria.com.br
controluz.com.br
sistematitanium.com
bigdealsfinder.online
megadealsdiscounter.online
superpriceshopper.online
bestpricecastle.online
bestsavingfinder.online
starpricediscounted.online
greatdealninja.online
megadealsfinder.online
topdealdiscounted.online
superpriceshopping.online
eduk-central.net
hightechcrime.club
cheapkittensspecial.win
yellowpuppyspecial.pw
cheapestdogspecial.pw
33catspecials.pw
finddogdeal.win
yellowcatdeal.win
cheapestdoggyspecial.pw
findcatspecial.win
33puppiesspecials.win
yellowpetsspecials.pw
greendoggyspecial.pw
33catsdeal.pw
cheapestdogspecials.win
33kittensspecials.pw
bluepuppiesdeals.pw
greenbirdsspecials.win
greenkittensdeal.pw
bluepuppyspecial.pw
findbirdsspecials.pw
nfoservers.com
icmp.online
xn----7sbhguokj.xn--p1ai
transfer.club
admin-vk.ru
favy.club
xn--b1acdqjrfck3b7e.xn--p1ai
xn--80aac5cct.xn--80aswg
ta-bao.com
dopegame.ru
dolgoprud.top
ocalhost.host
alcvid.com
ousquadrant.com
protopal.club
tr069.pw
6969max.com
serverhost.name
as62454.net
spevat.net
mwcluster.com
edhelppro.bid
secure-limited-accounts.com
mediaforetak.com
lottobooker.ru
postrader.eu
robositer.com
postrader.it
siterhunter.com
postrader.org
secure-payment.online
secure-support.services
ssldomainerrordisp2003.com
clearsignal.com
ip-151-80-27.eu
avac.io
ip-137-74-49.eu
Cluster 2
Cluster 6
Cluster 23
Cluster 7
Cluster 1
Cluster 0
Figure 7: C2 Domain Relationships — We visualize related
C2 infrastructure, depicting C2 domains as nodes and shared
IPs as edges between two domains. The top six clusters by C2
domain count consisted of highly connected components, which
represent agile, long-lived infrastructures in use by botmasters.
are multiple active bot operators during our study period.
While Figure 7 provides a rough sense of Mirai C2 com-
plexity, it does not indicate the number of bots that each
cluster controlled. To estimate botnet membership, we
measured the DNS lookup volume per cluster. In Figure 8,
we show the top clusters of domains based on the volume
of DNS lookups at a large, name-redacted ISP. This sin-
gle perspective is not comprehensive, but it allows us to
observe the rise and fall of different botnets over time,
and may provide a hint of their relative sizes. A prime
example is cluster 1, which was the initial version of the
Mirai botnet involved in the early, high-profile attacks on
Krebs on Security and OVH. Although it dominated in
lookup volume in late September and early October, it
gave way to newer clusters, 2 and 6, in mid-October. We
provide a list of the largest clusters by lookup and their
unique characteristics in Table 8.
While we cannot conclusively link each of these clus-
ters to distinct operators, we note that each cluster utilized
independent DNS infrastructure and evolving malware,
underscoring the challenge of defending against these
attacks through bespoke mitigations. Our results also
confirm the recent findings of Lever et al., who observed
that the naming infrastructure used by malware is often
active weeks prior to its operation [54]. In all cases, the
first occurrence of DNS/IP lookup traffic for a cluster far
preceded the date that the domains were used as C2 in-
frastructure for the botnet. For example, even though the
peak lookup for cluster 2 occurred on October 21, 2016,
the first lookup of a C2 domain in this cluster occurred
on August 1, 2016 (Table 8). This also significantly pre-
dated the first binary collected for this cluster (October 24,
2016), and the first attacks issued by the cluster (Octo-
ber 26, 2016). These results suggest that careful analysis
of DNS infrastructure can potentially guide preventative
measures.
5.2
Evolution
Although the Mirai ecosystem exploded after the public
source code release on September 30, 2016, this was not
the botnet’s first major evolutionary step. Between August
7, 2016 and September 30, 2016 — when the source code
was publicly released — 24 unique Mirai binaries were
uploaded to VirusTotal, which we used to explore the
botnet’s initial maturation. Several key developments oc-
curred during this period. First, we saw the underlying C2
infrastructure upgrade from an IP-based C2 to a domain-
based C2 in mid-September. Second, the malware began
to delete its executing binary, as well as obfuscate its pro-
cess ID, also in mid-September. We additionally saw a
number of features added to make the malware more vir-
ulent, including the addition of more passwords to infect
additional devices, the closing of infection ports TCP/23
and TCP/2323, and the aggressive killing of competitive
malware in a sample collected on September 29, 2016.
After the public release, we observed the rapid emer-
gence of new features, ranging from improved infection
capabilities to hardened binaries that slow reverse engi-
1102 26th USENIX Security Symposium
USENIX Association