Mirai-like Botnet Hosts

What does "Mirai-like" mean?

Mirai scans have a unique fingerprint based on the original source code.

The TCP Sequence Number will equal the value of the target (destination) IP address. This is encoded in decimal (numeric) format in the examples shown below.

As the target IP changes, the Sequence Number of the traffic coming from the infected host will change accordingly.

Source IP Sequence Number Destination IP Destination Port Protocol Count 1155727431 22 TCP 8 1155727462 22 TCP 12 1155727468 22 TCP 7 1155727827 22 TCP 18 1155728027 22 TCP 13 1185554622 22 TCP 11 1186240978 22 TCP 2

Data use

