Zeek Muratovic

Mirai Detection / Mitigation

Discussion created by Zeek Muratovic on Nov 5, 2016
Latest reply on Nov 21, 2016 by Eric Simmons

I've had a few clients asking me about how Qualys can help us detect Mirai activity in their network and I thought Id post it on the community.


Mirai is a botnet that scans the internet for IoT systems that still use hard coded usernames and passwords such as 'admin'. Once found these systems will be infected by the malware reporting to a central control system which can be used to launch a DDoS attack.


Because Mirai lives in the dynamic memory of a system it can be removed by rebooting it, but there's a high chance of recurrence because they can be reinfected within minutes. 


To detect Mirai activity in your network you can easily create a dashboard in Qualys AssetView that displays systems that run on the following open ports:


  • Use QID 38644 to look for default username/password for telnet.
  • Monitor Internet Protocol (IP) port 2323/TCP and port 23/TCP for attempts to gain unauthorized control over IoT devices using the network terminal (Telnet) protocol.
  • Look for suspicious traffic on port 48101. Infected devices often attempt to spread malware by using port 48101 to send results to the threat actor.


IT security professionals could also use these guidelines to harden against DDoS attacks:



You can also block that port on your network devices assuming there's no communication on a custom application.