Profiling IoT Botnet Activity in the Wild

Almazarqi, H. A. , Marnerides, A. , Mursch, T., Woodyard, M. and Pezaros, D. (2022) Profiling IoT Botnet Activity in the Wild. In: 2021 IEEE Global Communications Conference (GLOBECOM), Madrid, Spain, 07-11 Dec 2021, ISBN 9781728181042 (doi: 10.1109/GLOBECOM46510.2021.9686012)

[img] Text
257918.pdf - Accepted Version

407kB

Abstract

Undoubtedly, the Internet of Things (IoT) contributes significantly to daily mission-critical processes underpinning a number of socio-technical systems. Conversely, its rapid adoption has extensively broadened the cyber-threat landscape by virtue of low-cost IoT devices that are manufactured and deployed with minimal security. Evidently, vulnerable IoT devices are utilised by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Since the 2016 outbreak of the first IoT Mirai botnet there has been a continuous evolution of Mirai-like variants. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This work provides a new measurement study highlighting specific behavioural properties of Mirai-like botnets in terms of their propagation. We provide a comprehensive analysis conducted on real Cyber Threat Intelligence (CTI) feeds gathered for a period of 7 months from globally distributed attack honeypots and pinpoint the evolutionary port scanning patterns, targeted vulnerabilities and preferred services pursued by Mirai-like botnets. We identify the most frequently active Mirai-like malware binaries and we are the first to report the evolution of a new, P2P-based variant. In parallel, we provide evidence related to the lack of vendor-specific patching through highlighting unpatched vulnerabilities. Moreover, we pinpoint the inadequacy of widely used IP blacklisting databases to timely list malicious IP addresses. Thus, arguing in fair of integrating honeypot information from diverse Internet vantage points within the design of next generation botnet defence mechanisms.

Item Type:Conference Proceedings
Status:Published
Refereed:Yes
Glasgow Author(s) Enlighten ID:Almazarqi, Hatem Aied S and Pezaros, Professor Dimitrios and Marnerides, Dr Angelos
Authors: Almazarqi, H. A., Marnerides, A., Mursch, T., Woodyard, M., and Pezaros, D.
College/School:College of Science and Engineering > School of Computing Science
ISBN:9781728181042
Published Online:02 February 2022
Copyright Holders:Copyright © 2021 IEEE
Publisher Policy:Reproduced in accordance with the publisher copyright policy
Related URLs:

University Staff: Request a correction | Enlighten Editors: Update this record