Visible to the public Analyzing Variation Among IoT Botnets Using Medium Interaction Honeypots

TitleAnalyzing Variation Among IoT Botnets Using Medium Interaction Honeypots
Publication TypeConference Paper
Year of Publication2020
AuthorsLingenfelter, B., Vakilinia, I., Sengupta, S.
Conference Name2020 10th Annual Computing and Communication Workshop and Conference (CCWC)
Date PublishedJan. 2020
ISBN Number978-1-7281-3783-4
Keywordsanalyzing variation, Botnet, botnet malware strains, botnets, Cats, common attack patterns, composability, Computer crime, computer network security, Cowrie, dominant botnet software, honeypot, honeypot configuration, Internet of Things, invasive software, IoT Botnets, malicious sessions, Malware, medium interaction honeypots, Metrics, mirai, multiple botnet deployments, near-identical malicious login sessions, password, pubcrawl, resilience, Resiliency, Servers, Strain, time 40.0 d

Through analysis of sessions in which files were created and downloaded on three Cowrie SSH/Telnet honeypots, we find that IoT botnets are by far the most common source of malware on connected systems with weak credentials. We detail our honeypot configuration and describe a simple method for listing near-identical malicious login sessions using edit distance. A large number of IoT botnets attack our honeypots, but the malicious sessions which download botnet software to the honeypot are almost all nearly identical to one of two common attack patterns. It is apparent that the Mirai worm is still the dominant botnet software, but has been expanded and modified by other hackers. We also find that the same loader devices deploy several different botnet malware strains to the honeypot over the course of a 40 day period, suggesting multiple botnet deployments from the same source. We conclude that Mirai continues to be adapted but can be effectively tracked using medium interaction honeypots such as Cowrie.

Citation Keylingenfelter_analyzing_2020