Böck, Leon ; Sundermann, Valentin ; Fusari, Isabella ; Karuppayah, Shankar ; Mühlhäuser, Max ; Levin, Dave (2023)
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants.
doi: 10.48550/arXiv.2309.01130
Report, Bibliographie
Kurzbeschreibung (Abstract)
Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners.
Typ des Eintrags: | Report |
---|---|
Erschienen: | 2023 |
Autor(en): | Böck, Leon ; Sundermann, Valentin ; Fusari, Isabella ; Karuppayah, Shankar ; Mühlhäuser, Max ; Levin, Dave |
Art des Eintrags: | Bibliographie |
Titel: | The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants |
Sprache: | Deutsch |
Publikationsjahr: | 3 September 2023 |
Verlag: | arXiV |
Reihe: | Cryptography and Security |
Auflage: | 1. Version |
DOI: | 10.48550/arXiv.2309.01130 |
URL / URN: | https://arxiv.org/abs/2309.01130 |
Kurzbeschreibung (Abstract): | Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners. |
Fachbereich(e)/-gebiet(e): | 20 Fachbereich Informatik 20 Fachbereich Informatik > Telekooperation |
Hinterlegungsdatum: | 11 Apr 2024 12:38 |
Letzte Änderung: | 16 Jul 2024 12:41 |
PPN: | 519945662 |
Export: | |
Suche nach Titel in: | TUfind oder in Google |
Frage zum Eintrag |
Optionen (nur für Redakteure)
Redaktionelle Details anzeigen |