Profiling IoT Botnet Activity in the Wild

View PDF copy

Hatem A. Almazarqi, Angelos K. Marnerides, Troy Mursch, Mathew Woodyard, and Dimitrios Pezaros

2020 – 2021 IEEE Global Communications Conference (GLOBECOM)

Undoubtedly, the Internet of Things (IoT) contributes significantly to daily mission-critical processes underpinning a number of socio-technical systems. Conversely, its rapid adoption has extensively broadened the cyber-threat landscape by virtue of low-cost IoT devices that are manufactured and deployed with minimal security. Evidently, vulnerable IoT devices are utilised by attackers to participate into Internet-wide botnets in order to instrument large-scale cyber-attacks and disrupt critical Internet services. Since the 2016 outbreak of the first IoT Mirai botnet there has been a continuous evolution of Mirai-like variants. Tracking these botnets is challenging due to their varying structural characteristics, and also due to the fact that malicious actors continuously adopt new evasion and propagation strategies. This work provides a new measurement study highlighting specific behavioural properties of Mirai-like botnets in terms of their propagation. We provide a comprehensive analysis conducted on real Cyber Threat Intelligence (CTI) feeds gathered for a period of 7 months from globally distributed attack honeypots and pinpoint the evolutionary port scanning patterns, targeted vulnerabilities and preferred services pursued by Mirai-like botnets. We identify the most frequently active Mirai-like malware binaries and we are the first to report the evolution of a new, P2P-based variant. In parallel, we provide evidence related to the lack of vendor-specific patching through highlighting unpatched vulnerabilities. Moreover, we pinpoint the inadequacy of widely used IP blacklisting databases to timely list malicious IP addresses. Thus, arguing in fair of integrating honeypot information from diverse Internet vantage points within the design of next generation botnet defence mechanisms.


Profiling IoT-based botnet traffic using DNS

View PDF copy

Owen Dwyer, Angelos Marnerides, Vasileios Giotsas, and Troy Mursch

2019 IEEE Global Communications Conference (GLOBECOM)

Internet-wide security and resilience have traditionally been subject to large-scale DDoS attacks initiated by various types of botnets. Since the Mirai outbreak in 2016 myriads of Mirai-alike IoT-based botnets have emerged. Such botnets rely on Mirai’s base malware code and they infiltrate vulnerable IoT devices on an Internet-wide scale such as to instrument them to perform large-scale attacks such as DDoS. As recently shown, DDoS attacks triggered by Mirai-alike IoT-based botnets go far beyond traditional pre-2016 DDoS attacks since they have a much higher amplification and their propagation is far more aggressive. Thus, it is of crucial importance to tailor botnet detection schemes accordingly. This work provides a novel DNS-based profiling scheme over real datasets of Mirai-alike botnet activity captured on honeypots that are globally distributed. We firstly discuss features used in profiling botnets in the past and indicate how profiling IoT-based botnets in particular can be improved by leveraging DNS information out of a single DNS record. We further conduct an evaluation of our developed feature set over various Machine Learning (ML) classifiers and demonstrate the applicability of our scheme. Our resulted outputs indicate that the proposed feature set can significantly reduce botnet detection time whilst simultaneously maintaining high levels of accuracy of 99% on average under the random forest formulation.


Identifying infected energy systems in the wild

View PDF copy

Angelos Marnerides, Vasileios Giotsas, and Troy Mursch

e-Energy ’19: Proceedings of the Tenth ACM International Conference on Future Energy Systems

The 2016 Mirai outbreak established an entirely new mindset in the history of large-scale Internet attacks. A plethora of Mirai-like variants have emerged in the last two years that are capable to infiltrate any type of device. In this paper we provide a 7-month retrospective analysis of Internet-connected energy systems that are infected by Mirai-like malware variants. By utilizing network measurements from several Internet vantage points, we demonstrate that a number of energy systems on a global scale were infected during the period of our observation. While past works have studied vulnerabilities and patching practises of ICS and energy systems, little information has been available on actual exploits of such vulnerabilities. Hence, we provide evidence that energy systems relying on ICS networks are often compromised by vulnerabilities in non-ICS devices (routers, servers and IoT devices) which provide foothold for lateral network attacks. Our work offers a first look in compromised energy systems by malware infections, and offers insights on the lack of proper security practices for systems that are increasingly dependent on internet services and more recently the IoT. In addition, we indicate that such systems were infected for relatively large periods, thus potentially remaining undetected by their corresponding organizational units


A first look at browser-based cryptojacking

View PDF copy

Shayan Eskandari, Andreas Leoutsarakos, Troy Mursch, and Jeremy Clark

IEEE Security & Privacy on the Blockchain (IEEE S&B) 2018

In this paper, we examine the recent trend towards in-browser mining of cryptocurrencies; in particular, the mining of Monero through Coinhive and similar codebases. In this model, a user visiting a website will download a JavaScript code that executes client-side in her browser, mines a cryptocurrency—typically without her consent or knowledge—and pays out the seigniorage to the website. Websites may consciously employ this as an alternative or to supplement advertisement revenue, may offer premium content in exchange for mining, or may be unwittingly serving the code as a result of a breach (in which case the seigniorage is collected by the attacker). The cryptocurrency Monero is preferred seemingly for its unfriendliness to large-scale ASIC mining that would drive browser-based efforts out of the market, as well as for its purported privacy features. In this paper, we survey this landscape, conduct some measurements to establish its prevalence and profitability, outline an ethical framework for considering whether it should be classified as an attack or business opportunity, and make suggestions for the detection, mitigation and/or prevention of browser-based mining for nonconsenting users.



The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle

View PDF copy

Omar Alrawi, Charles Lever, and Kevin Valakuzhy, Ryan Court, Kevin Snow, Fabian Monrose, and Manos Antonakakis

Proceedings of the 30th USENIX Security Symposium

Our current defenses against IoT malware may not be adequate to remediate an IoT malware attack similar to the Mirai botnet. This work seeks to investigate this matter by systematically and empirically studying the lifecycle of IoT malware and comparing it with traditional malware that target desktop and mobile platforms. We present a large-scale measurement of more than 166K Linux-based IoT malware samples collected over a year. We compare our results with prior works by systematizing desktop and mobile malware studies into a novel framework and answering key questions about defense readiness. Based on our findings, we deduce that the required technology to defend against IoT malware is available, but we conclude that there are insufficient efforts in place to deal with a large-scale IoT malware infection breakout.



Verizon DBIR logo

Bad Packets contributed to Verizon’s 2021 DBIR – a data-driven approach to analyzing the current cybersecurity landscape.