It is a bit hard to nail down when the Mirai botnet really started. I usually use scans for %%port:2323%% and the use of the password “xc3511” as an indicator. But of course, that isn’t perfect. The very first scan using the password “xc3511” was detected by our sensor on February 26th, 2016, well ahead of Mirai. This scan hit a number of our sensors via ssh. At the time we did not collect telnet brute force attempts. Oddly enough, it was a singular scan from one IP address (%%ip:185.106.94.136%%) . Starting August 9th, 2016, we do see daily scans for the password xc3511 at a low level until they increase significantly around September 21st, which is probably the best date to identify as the outbreak of what we now call Mirai. I will use “Mirai” to identify the family of aggressive telnet scanning bots. It includes a wide range of varieties that all pretty much do the same thing: Scan for systems with telnet exposed (not just on port 23) and then trying to log in using a default password.
Article Link: https://isc.sans.edu/diary/rss/22786