Disposable Botnets
Long-term Analysis of IoT Botnet Infrastructure
Rui Tanabe (Yokohama National University)
Tsuyufumi Watanabe (Yokohama National University, Fujisoft Incorporated, Yokohama)
Akira Fujita (National Institute of Information and Communications Technology)
Ryoichi Isawa (National Institute of Information and Communications Technology)
Carlos Hernandez Ganan (TU Delft - Organisation & Governance)
Michel Van Van Eeten (TU Delft - Organisation & Governance)
Katsunari Yoshioka (Yokohama National University)
Tsutomu Matsumoto (Yokohama National University)
More Info
expand_more
Other than for strictly personal use, it is not permitted to download, forward or distribute the text or part of it, without the consent of the author(s) and/or copyright holder(s), unless the work is under an open content license such as Creative Commons.
Abstract
Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.