Sometimes on login prompts the attacks would use shell commands, indicating that the malware had a bug that made it blind to the fact that its login attempt had failed so it ran commands as if it had logged in successfully. The commands were attempts to download the Mirai malware.
That gave Akamai researchers something to compare actual attack traffic to.
Akamai tracked down some of the hosts in the botnet and found they were closed-circuit cameras and DVR systems. So the packets being sent were similar to what Mirai sends and the types of devices in the attacks were the types Miria preys upon.
Sign up for CIO Asia eNewsletters.