Disposable botnets: Examining the anatomy of IoT botnet infrastructure

Rui Tanabe, Tatsuya Tamai, Akira Fujita, Ryoichi Isawa, Katsunari Yoshioka, Tsutomu Matsumoto, Carlos Gañán, Michel Van Eeten

Research output: Chapter in Book/Conference proceedings/Edited volumeConference contributionScientificpeer-review

2 Citations (Scopus)


Large botnets made up of Internet-of-Things (IoT) devices have been a steady presence in the threat landscape since 2016. Earlier research has found preliminary evidence that the IoT binaries and C&C infrastructure were only seen for very brief periods. It has not explained how attackers maintain control over their botnets. We present a more comprehensive analysis of the infrastructure of IoT botnets based on 23 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 59,884 IoT malware samples, 35,494 download servers, and 2,747 C&C servers. We focuse on three dominant families: Bashlite, Mirai, and Tsunami. The picture that emerges is that of highly disposable botnets. IoT botnet are not so much maintained as reconstituted from scratch all the time. Not only are most binaries distributed for less than three days, the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. The C&C servers themselves also have a short lifespan. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. In other words, bots are used only immediately after capture and then abandoned - -perhaps to be recaptured again via the aggressive scanning practices that these botnets are known for. While IoT botnets appear less advanced than Windows-based botnets, the advantage of being disposable means that they are very resistant to blacklisting and C&C takedown. Most IP addresses are used only once and never seen again. The question that arises is how attackers source these addresses. We speculate that they might be abusing the IP address allocation practices of cloud providers.

Original languageEnglish
Title of host publicationProceedings of the 15th International Conference on Availability, Reliability and Security, ARES 2020
PublisherAssociation for Computing Machinery (ACM)
Number of pages10
ISBN (Electronic)9781450388337
Publication statusPublished - 2020
Event15th International Conference on Availability, Reliability and Security, ARES 2020 - Virtual, Online, Ireland
Duration: 25 Aug 202028 Aug 2020

Publication series

NameACM International Conference Proceeding Series


Conference15th International Conference on Availability, Reliability and Security, ARES 2020
CityVirtual, Online


  • C&C server
  • Internet-of-things
  • IoT honeypot
  • IoT malware binary


Dive into the research topics of 'Disposable botnets: Examining the anatomy of IoT botnet infrastructure'. Together they form a unique fingerprint.

Cite this