Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet

@article{Herwig2019MeasurementAA,
  title={Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet},
  author={Stephen Herwig and Katura Harvey and George Hughey and Richard Roberts and Dave Levin},
  journal={Proceedings 2019 Network and Distributed System Security Symposium},
  year={2019}
}
The Internet of Things (IoT) introduces an unprecedented diversity and ubiquity to networked computing. [] Key Result Our results show that there are more compromised IoT devices than previously reported; that these devices use an assortment of CPU architectures, the popularity of which varies widely by country; that churn is high among IoT devices; and that new exploits can quickly and drastically increase the size and power of IoT botnets.
Examining Mirai's Battle over the Internet of Things
TLDR
This paper provides a comprehensive view into the ongoing battle over the Internet of Things fought by Mirai and its many siblings, and finds that networks and the particular malware strains that plague them are tightly connected, and malware authors over time take over strategies from their competitors.
Detecting IoT Devices in the Internet
TLDR
Three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates are described.
A Formal Analysis of the Efficacy of Rebooting as a Countermeasure Against IoT Botnets
TLDR
This paper model and simulate the dynamic behavior of a Mirai-like botnet infrastructure and various IoT device categories as a network of timed automata in UPPAAL-SMC to determine the feasibility of rebooting as a countermeasure against botnets.
Advanced System Resiliency Based on Virtualization Techniques for IoT Devices
TLDR
A resilient system architecture suitable for the secure operation of multiple isolated services on one embedded device, focusing on privilege separation among several entities sharing one physical device is derived.
Dominance as a New Trusted Computing Primitive for the Internet of Things
TLDR
Cider is presented, a system that can recover IoT devices within a short amount of time, even if attackers have taken root control of every device in a large deployment.
A COMPREHENSIVE STUDY OF BOTNETS ON INTERNET OF THINGS AND MOBILE DEVICES : DETECTION AND MITIGATION TECHNIQUES
TLDR
This work focuses on various types of IoT and mobile botnets propagation, attack methodology, and how they exploited in DDoS attacks along with various technologies used to detect IoT and Mobile botnets.
ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks
TLDR
Adroit is a system that correlates anomalies across different networks and different time-windows, using a scalable network architecture, and is able to detect attackstages with high accuracy while filtering out much of false alerts.
IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended)
TLDR
The experiments show IoTSTEED mitigates all typical attacks, regardless of the attacks’ traffic types, attacking devices and victims; an intelligent adversary can design to avoid detection in a few cases, but at the cost of a weaker attack.
Rootkit Detection on Embedded IoT Devices
TLDR
A rootkit detection approach for embedded IoT devices that takes advantage of a trusted execution environment (TEE), which is often supported on popular IoT platforms, such as ARM based embedded boards.
IoT-Praetor: Undesired Behaviors Detection for IoT Devices
TLDR
In IoT-Praetor, a new device usage description (DUD) model is proposed to construct an IoT device behavior specification, including communication and interaction behaviors, and a behavior rule engine to detect device behaviors in real time is designed.
...
...

References

SHOWING 1-10 OF 55 REFERENCES
Understanding the Mirai Botnet
TLDR
It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets.
Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm
TLDR
In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented.
Walowdac - Analysis of a Peer-to-Peer Botnet
TLDR
A clone of the Waledac bot named Walowdac is implemented, which implements the communication features of Walingac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed.
SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets
TLDR
A formal graph model is introduced to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets and can be used to assist security researchers in evaluating mitigation strategies against current and future P2p botnets.
Peer-to-Peer Botnets: Overview and Case Study
TLDR
An overview of peer-to-peer botnets is presented and a case study of a Kademlia-based Trojan is presented, which shows how attackers will move to more resilient architectures in the near future.
Towards complete node enumeration in a peer-to-peer botnet
TLDR
The Passive P2P Monitor is presented, which can enumerate the infected hosts regardless of whether or not they are behind a firewall or NAT, and its coverage is shown to be based on a probability-based coverage model that was derived from the empirical observation of the Storm botnet.
A Survey of Botnet Technology and Defenses
TLDR
This survey paper provides a brief look at how existing botnet research, the evolution and future of botnets, as well as the goals and visibility of today’s networks intersect to inform the field of botnet technology and defense.
A Multi-perspective Analysis of Carrier-Grade NAT Deployment
TLDR
This work develops a methodology to detect the existence of hosts behind CGNs by extracting non-routable IP addresses from peer lists the authors obtain by crawling the BitTorrent DHT, and complements this approach with improvements to the Netalyzr troubleshooting service, enabling it to determine a range of indicators of CGN presence.
Insights from the Inside: A View of Botnet Management from Infiltration
TLDR
A 4-month infiltration of the MegaD botnet, beginning in October 2009, provides insight into MegaD's management structure, its complex and evolving C&C architecture, and its ability to withstand takedown.
Detecting Malicious Activity with DNS Backscatter
TLDR
DNS backscatter is identified as a new source of information about network-wide activity, and it is shown that activity that touches many targets appear even in sampled observations.
...
...