Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2019 Feb 11;19(3):727.
doi: 10.3390/s19030727.

Improving IoT Botnet Investigation Using an Adaptive Network Layer

João Marcelo Ceron  1 Klaus Steding-Jessen  2 Cristine Hoepers  3 Lisandro Zambenedetti Granville  4 Cíntia Borges Margi  5
Affiliations

Improving IoT Botnet Investigation Using an Adaptive Network Layer

João Marcelo Ceron et al. Sensors (Basel). .

Abstract

IoT botnets have been used to launch Distributed Denial-of-Service (DDoS) attacks affecting the Internet infrastructure. To protect the Internet from such threats and improve security mechanisms, it is critical to understand the botnets' intents and characterize their behavior. Current malware analysis solutions, when faced with IoT, present limitations in regard to the network access containment and network traffic manipulation. In this paper, we present an approach for handling the network traffic generated by the IoT malware in an analysis environment. The proposed solution can modify the traffic at the network layer based on the actions performed by the malware. In our study case, we investigated the Mirai and Bashlite botnet families, where it was possible to block attacks to other systems, identify attacks targets, and rewrite botnets commands sent by the botnet controller to the infected devices.

Keywords: IoT; SDN; botnet; malware; malware analysis.

PubMed Disclaimer

Conflict of interest statement

The authors declare no conflict of interest.

Figures

Figure 1
Figure 1
Adaptive network layer overview.
Figure 2
Figure 2
Mirai Scan Signature: The TCP scan packets are instantiated using the same value for the fields destination IP address and TCP Sequence number.
Figure 3
Figure 3
C&C Protocol: Message exchange process implemented by Bashlite and Mirai malware families.
Figure 4
Figure 4
Malware analysis environment setup.
Figure 5
Figure 5
Bashlite’s execution flow: the bot initially establishes a communication with the C&C and then performs the propagation attacks scans.
Figure 6
Figure 6
Mirai’s execution flow: The malware initiates the propagation scan process and simultaneously contacts its C&C.
Figure 7
Figure 7
Bashlite egress traffic: the number of packets per hour generated by the analyzed malware.
Figure 8
Figure 8
Mirai egress traffic: the number of packets per hour generated by the analyzed malware.
See this image and copyright information in PMC

References

    1. Land J. Systemic Vulnerabilities in Customer-Premises Equipment (CPE) Routers. Carnegie Mellon University; Pittsburgh, PA, USA: Jul, 2017. CMU/SEI-2017-SR-019.
    1. Cozzi E., Graziano M., Fratantonio Y., Balzarotti D. Understanding Linux Malware; Proceedings of the IEEE Symposium on Security & Privacy; San Francisco, CA, USA. 21–23 May 2018.
    1. Dyn O. Dyn Statement on 10/21/2016 DDoS Attack. [(accessed on 30 January 2018)]; Available online: http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/
    1. Krebs B. KrebsOnSecurity Hit with Record DDoS. [(accessed on 30 January 2018)]; Available online: https://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/
    1. Santanna J.J., van Rijswijk-Deij R., Hofstede R., Sperotto A., Wierbosch M., Granville L.Z., Pras A. Booters—An analysis of DDoS-as-a-service attacks; Proceedings of the 2015 IFIP/IEEE International Symposium on Integrated Network Management (IM); Ottawa, ON, Canada. 11–15 May 2015; Piscataway, NJ, USA: IEEE; 2015. pp. 243–251.

LinkOut - more resources