Disposable botnets: examining the anatomy of IoT botnet infrastructure

Large botnets made up of Internet-of-Things (IoT) devices have been a steady presence in the threat landscape since 2016. Earlier research has found preliminary evidence that the IoT binaries and C&C infrastructure were only seen for very brief periods. It has not explained how attackers maintain control over their botnets. We present a more comprehensive analysis of the infrastructure of IoT botnets based on 23 months of data gathered via honeypots and the monitoring of botnet infrastructure. We collected 59,884 IoT malware samples, 35,494 download servers, and 2,747 C&C servers. We focuse on three dominant families: Bashlite, Mirai, and Tsunami. The picture that emerges is that of highly disposable botnets. IoT botnet are not so much maintained as reconstituted from scratch all the time. Not only are most binaries distributed for less than three days, the connection of bots to the rest of the botnet is also short-lived. To reach the C&C server, the binaries typically contain only a single hard-coded IP address or domain. The C&C servers themselves also have a short lifespan. Long-term dynamic analysis finds no mechanism for the attackers to migrate the bots to a new C&C server. In other words, bots are used only immediately after capture and then abandoned---perhaps to be recaptured again via the aggressive scanning practices that these botnets are known for. While IoT botnets appear less advanced than Windows-based botnets, the advantage of being disposable means that they are very resistant to blacklisting and C&C takedown. Most IP addresses are used only once and never seen again. The question that arises is how attackers source these addresses. We speculate that they might be abusing the IP address allocation practices of cloud providers.