Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet

@inproceedings{Herwig2019MeasurementAA,
  title={Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet},
  author={Stephen Herwig and Katura Harvey and George Hughey and Richard Roberts and Dave Levin},
  booktitle={NDSS},
  year={2019}
}
The Internet of Things (IoT) introduces an unprecedented diversity and ubiquity to networked computing. [...] Key Result Our results show that there are more compromised IoT devices than previously reported; that these devices use an assortment of CPU architectures, the popularity of which varies widely by country; that churn is high among IoT devices; and that new exploits can quickly and drastically increase the size and power of IoT botnets.Expand

Topics from this paper

Disposable botnets: examining the anatomy of IoT botnet infrastructure
TLDR
Long-term dynamic analysis of the infrastructure of IoT botnets finds no mechanism for the attackers to migrate the bots to a new C&C server, suggesting that bots are used only immediately after capture and then abandoned---perhaps to be recaptured again via the aggressive scanning practices that these botnets are known for. Expand
Examining Mirai's Battle over the Internet of Things
TLDR
This paper provides a comprehensive view into the ongoing battle over the Internet of Things fought by Mirai and its many siblings, and finds that networks and the particular malware strains that plague them are tightly connected, and malware authors over time take over strategies from their competitors. Expand
Detecting IoT Devices in the Internet
TLDR
Three new methods to find IoT devices on the Internet: server IP addresses in traffic, server names in DNS queries, and manufacturer information in TLS certificates are described. Expand
IoT Botnet Forensics: A Comprehensive Digital Forensic Case Study on Mirai Botnet Servers
TLDR
This research provides findings tactically useful to forensic investigators, not only from the perspective of what data can be obtained, but also important information about which device they should target for acquisition and investigation to obtain the most investigatively useful information. Expand
Dominance as a New Trusted Computing Primitive for the Internet of Things
TLDR
Cider is presented, a system that can recover IoT devices within a short amount of time, even if attackers have taken root control of every device in a large deployment. Expand
A Scalable Platform for Enabling the Forensic Investigation of Exploited IoT Devices and Their Generated Unsolicited Activities
TLDR
This paper uses a big data analytics framework ( Apache Spark) to design and develop a scalable system for automated detection of compromised IoT devices and characterization of their unsolicited activities, and evaluates its effectiveness in the network forensic investigation of compromised devices and their activities, in near real-time. Expand
ADROIT: Detecting Spatio-Temporal Correlated Attack-Stages in IoT Networks
As IoT devices become increasingly deployed for personal as well as commercial purposes, the cyber threat landscape is also changing with recent years witnessing attacks with higher intensity andExpand
IoTSTEED: Bot-side Defense to IoT-based DDoS Attacks (Extended)
We propose IoTSTEED, a system running in edge routers to defend against Distributed Denial-of-Service (DDoS) attacks launched from compromised Internet-of-Things (IoT) devices. IoTSTEED watchesExpand
ADEPT: Detection and Identification of Correlated Attack Stages in IoT Networks
TLDR
The proposed Adept framework is presented, a distributed framework to detect and identify the individual attack stages in a coordinated attack, and the results demonstrate the effectiveness of the proposed framework in terms of its ability in attack-stage detection and identification. Expand
IoT-Praetor: Undesired Behaviors Detection for IoT Devices
TLDR
In IoT-Praetor, a new device usage description (DUD) model is proposed to construct an IoT device behavior specification, including communication and interaction behaviors, and a behavior rule engine to detect device behaviors in real time is designed. Expand
...
1
2
3
4
5
...

References

SHOWING 1-10 OF 52 REFERENCES
Understanding the Mirai Botnet
TLDR
It is argued that Mirai may represent a sea change in the evolutionary development of botnets--the simplicity through which devices were infected and its precipitous growth, and that novice malicious techniques can compromise enough low-end devices to threaten even some of the best-defended targets. Expand
Measurements and Mitigation of Peer-to-Peer-based Botnets: A Case Study on Storm Worm
TLDR
In a case study, the Storm Worm botnet is examined in detail, the most wide-spread P2P botnet currently propagating in the wild, and two different ways to disrupt the communication channel between controller and compromised machines in order to mitigate the botnet are presented. Expand
Phalanx: Withstanding Multimillion-Node Botnets
TLDR
The goal is to define a system that could be deployed in the next few years to address the danger from present-day massive botnets, called Phalanx, which leverages the power of swarms to combat DoS. Expand
Walowdac - Analysis of a Peer-to-Peer Botnet
TLDR
A clone of the Waledac bot named Walowdac is implemented, which implements the communication features of Walingac but does not cause any harm, i.e., no spam emails are sent and no other commands are executed. Expand
SoK: P2PWNED - Modeling and Evaluating the Resilience of Peer-to-Peer Botnets
TLDR
A formal graph model is introduced to capture the intrinsic properties and fundamental vulnerabilities of P2P botnets and can be used to assist security researchers in evaluating mitigation strategies against current and future P2p botnets. Expand
Peer-to-Peer Botnets: Overview and Case Study
TLDR
An overview of peer-to-peer botnets is presented and a case study of a Kademlia-based Trojan is presented, which shows how attackers will move to more resilient architectures in the near future. Expand
Towards complete node enumeration in a peer-to-peer botnet
TLDR
The Passive P2P Monitor is presented, which can enumerate the infected hosts regardless of whether or not they are behind a firewall or NAT, and its coverage is shown to be based on a probability-based coverage model that was derived from the empirical observation of the Storm botnet. Expand
IoT Goes Nuclear: Creating a ZigBee Chain Reaction
TLDR
A new type of threat in which adjacent IoT devices will infect each other with a worm that will rapidly spread over large areas, provided that the density of compatible IoT devices exceeds a certain critical mass is described. Expand
A Survey of Botnet Technology and Defenses
Global Internet threats have undergone a profound transformation from attacks designed solely to disable infrastructure to those that also target people and organizations. At the center of many ofExpand
A Multi-perspective Analysis of Carrier-Grade NAT Deployment
TLDR
This work develops a methodology to detect the existence of hosts behind CGNs by extracting non-routable IP addresses from peer lists the authors obtain by crawling the BitTorrent DHT, and complements this approach with improvements to the Netalyzr troubleshooting service, enabling it to determine a range of indicators of CGN presence. Expand
...
1
2
3
4
5
...