Disposable Botnets

Long-term Analysis of IoT Botnet Infrastructure

Journal article (2022)

Authors

Rui Tanabe Yokohama National University
Tsuyufumi Watanabe Fujisoft Incorporated, Yokohama, Yokohama National University
Akira Fujita National Institute of Information and Communications Technology
Ryoichi Isawa National Institute of Information and Communications Technology
C. Hernandez Ganan Organisation & Governance - TPM
M.J.G. van Eeten Organisation & Governance - TPM
Katsunari Yoshioka Yokohama National University
Tsutomu Matsumoto Yokohama National University
Research Group
Organisation & Governance (TPM) (TU Delft)
Copyright: © 2022 Rui Tanabe, Tsuyufumi Watanabe, Akira Fujita, Ryoichi Isawa, C. Hernandez Ganan, M.J.G. van Eeten, Katsunari Yoshioka, Tsutomu Matsumoto
DOI: https://doi.org/10.2197/IPSJJIP.30.577
More Info
expand_more

Published Date

2022

Language

English

Reuse Rights

Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.

Faculty

Technology, Policy and Management

Department

Multi Actor Systems

Research Group

Organisation & Governance

Abstract

Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.

Files

30_577.pdf
(pdf | 5.49 Mb)
- Embargo expired in 01-07-2023
Unknown license