Disposable Botnets: Long-term Analysis of IoT Botnet Infrastructure

Rui Tanabe; Tsuyufumi Watanabe; Akira Fujita; Ryoichi Isawa; Carlos Gañán; Michel van Eeten; Katsunari Yoshioka; Tsutomu Matsumoto

doi:10.2197/IPSJJIP.30.577

Disposable Botnets: Long-term Analysis of IoT Botnet Infrastructure

Rui Tanabe, Tsuyufumi Watanabe, Akira Fujita, Ryoichi Isawa, Carlos Gañán, Michel van Eeten, Katsunari Yoshioka, Tsutomu Matsumoto

Organisation & Governance

Research output: Contribution to journal › Article › Scientific › peer-review

1 Citation (Scopus)

15 Downloads (Pure)

Abstract

Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.

Original language	English
Pages (from-to)	577-590
Number of pages	14
Journal	Journal of Information Processing
Volume	30
DOIs	https://doi.org/10.2197/IPSJJIP.30.577
Publication status	Published - 2022

Bibliographical note

Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

C&C server
Internet-of-Things
IoT honeypot
IoT malware binary

Access to Document

10.2197/IPSJJIP.30.577

30_577Final published version, 5.41 MB

Cite this

@article{379ab3f9febd4cc9ad262fcb2bb9471c,

title = "Disposable Botnets: Long-term Analysis of IoT Botnet Infrastructure",

abstract = "Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.",

keywords = "C&C server, Internet-of-Things, IoT honeypot, IoT malware binary",

author = "Rui Tanabe and Tsuyufumi Watanabe and Akira Fujita and Ryoichi Isawa and Carlos Ga{\~n}{\'a}n and {van Eeten}, Michel and Katsunari Yoshioka and Tsutomu Matsumoto",

note = "Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.",

year = "2022",

doi = "10.2197/IPSJJIP.30.577",

language = "English",

volume = "30",

pages = "577--590",

journal = "Journal of Information Processing",

issn = "1882-6652",

publisher = "Information Processing Society of Japan",

}

TY - JOUR

T1 - Disposable Botnets

T2 - Long-term Analysis of IoT Botnet Infrastructure

AU - Tanabe, Rui

AU - Watanabe, Tsuyufumi

AU - Fujita, Akira

AU - Isawa, Ryoichi

AU - Gañán, Carlos

AU - van Eeten, Michel

AU - Yoshioka, Katsunari

AU - Matsumoto, Tsutomu

N1 - Green Open Access added to TU Delft Institutional Repository 'You share, we take care!' - Taverne project https://www.openaccess.nl/en/you-share-we-take-care Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

PY - 2022

Y1 - 2022

N2 - Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.

AB - Large botnets made up of Internet-of-Things (IoT) devices have a steady presence in the threat landscape since 2016. However, it has not explained how attackers maintain control over their botnets. In this paper, we present a long-term analysis of the infrastructure of IoT botnets based on 36 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 64,260 IoT malware samples, 35,494 download servers, and 4,736 C&C servers during 2016 to 2021. Not only are most binaries distributed for less than three days, but the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. Although malware binaries that use domain names to connect to their C&C servers increased in 2020, the C&C servers themselves have a short lifespan and this tendency has not changed. The picture that emerges is that of highly disposable botnets. IoT botnets are reconstituted from scratch all the time rather than maintained.

KW - C&C server

KW - Internet-of-Things

KW - IoT honeypot

KW - IoT malware binary

UR - http://www.scopus.com/inward/record.url?scp=85139101746&partnerID=8YFLogxK

U2 - 10.2197/IPSJJIP.30.577

DO - 10.2197/IPSJJIP.30.577

M3 - Article

AN - SCOPUS:85139101746

SN - 1882-6652

VL - 30

SP - 577

EP - 590

JO - Journal of Information Processing

JF - Journal of Information Processing

ER -

Disposable Botnets: Long-term Analysis of IoT Botnet Infrastructure

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Cybersecurity (TPM)

Cite this

Disposable Botnets: Long-term Analysis of IoT Botnet Infrastructure

Abstract

Bibliographical note

Keywords

Access to Document

Other files and links

Fingerprint

Projects

Cybersecurity (TPM)

Cite this