Mirai-like Botnet Site

Alex Rhodes - March 29, 2018

Recently I developed an application for Troy Mursch of Bad Packets Report to help him track a botnet he calls "Mirai-like". The name refers to a similarity between a network signature observed in both this and the Mirai network of infected hosts. The signature can be traced to the Mirai source code, wherein packets sent from the hosts use the destination IP address as the TCP sequence number. Troy has captured an ever-growing list of IP addresses using a Splunk filter to detect this signature. This Splunk data is automatically sent to the site's server where it is passed to an API that returns various ASN and WHOIS information. This data is then parsed and added to the site.

The main page of the site provides options for sorting and filtering the dataset. Each entry contains:

  • IP Address - the IP Address of the infected host. Clicking on the IP address takes the user to a DomainTools WHOIS lookup
  • Autonomous System - the name of the infected host's ASN
  • Country - the country where the infected host is located
  • ASN - the ASN number for the infected host's ASN. Clicking the ASN number takes the user to a Hurricane Electric ASN lookup
  • Date First Seen - the date that the infected host first appeared in the Mirai-like honeypot
  • Shodan Link - A link to the Shodan results page for the infected host
  • Censys Link - A link to the Cenys IPV4 Lookup page for the infected host
  • ZoomEye Link - A link to the ZoomEye results page for the infected host

The Top ASN page returns the most active ASN for the given date range.

The Top Country page returns the most active country for the given date range.

Authenticated users are given the option to export the displayed data set as a CSV file for offline use. Information about the site and the Mirai-like botnet can be found on the about page and by following the Bad Packets twitter.

Project Details

Troy's dataset for the site outgrew the Google Sheets document he had been using to store the data. His requirements were relatively straightforward: browse-able, searchable, exportable display of his data set and back-end functionality to support various administrative tasks. I implemented the following features to fulfill these requirements:

  • The user-facing functionality as outlined above
  • Capability for site admins to grant access to protected functionality via the admin panel
  • Flexible, dynamic HTML meta tag and analytics embeds configurable via the admin panel
  • Customized administrative queries for common manual dataset operations, triggered via the admin panel
  • An automated process to perform conversion and lookup tasks on Splunk exports and import the resulting records.

Troy's excellent work investigating botnets, crypto mining abuse and other cybercrime have made his sites a popular target for attack. For example, our first iteration of the site was hit with a DDOS attack and, as a result, taken offline by the VPS provider. The latest host provides DDOS protection. Typically, I would like to go into more detail about the operational environment, design and architecture of the web application, but I don't want to risk giving useful information to an attacker.

Get honeypotted? I like spam. Contact Us Contact Us Email Email ar.hp@outlook.com email: ar.hp@outlook.com