TU Darmstadt / ULB / TUbiblio

The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants

Böck, Leon ; Sundermann, Valentin ; Fusari, Isabella ; Karuppayah, Shankar ; Mühlhäuser, Max ; Levin, Dave (2023)
The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants.
doi: 10.48550/arXiv.2309.01130
Report, Bibliographie

Kurzbeschreibung (Abstract)

Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners.

Typ des Eintrags: Report
Erschienen: 2023
Autor(en): Böck, Leon ; Sundermann, Valentin ; Fusari, Isabella ; Karuppayah, Shankar ; Mühlhäuser, Max ; Levin, Dave
Art des Eintrags: Bibliographie
Titel: The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants
Sprache: Deutsch
Publikationsjahr: 3 September 2023
Verlag: arXiV
Reihe: Cryptography and Security
Auflage: 1. Version
DOI: 10.48550/arXiv.2309.01130
URL / URN: https://arxiv.org/abs/2309.01130
Kurzbeschreibung (Abstract):

Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners.

Fachbereich(e)/-gebiet(e): 20 Fachbereich Informatik
20 Fachbereich Informatik > Telekooperation
Hinterlegungsdatum: 11 Apr 2024 12:38
Letzte Änderung: 16 Jul 2024 12:41
PPN: 519945662
Export:
Suche nach Titel in: TUfind oder in Google
Frage zum Eintrag Frage zum Eintrag

Optionen (nur für Redakteure)
Redaktionelle Details anzeigen Redaktionelle Details anzeigen