measurement and analysis of hajime a peer to peer iot
play

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet - PowerPoint PPT Presentation

Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems Rise of IoT Botnets


  1. Measurement and Analysis of Hajime: 
 a Peer-to-peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin University of Maryland The Max Planck Institute + for Software Systems

  2. Rise of IoT Botnets Resilient C&C Hajime Targets many CPU arches Scanning behavior arch-specific Continuously deploys new exploits

  3. Talk Overview Describe Hajime P2P network Our measurement infrastructure Heterogeneous botnet composition Analyze Impact of three exploit deployments Discuss Challenges of new, resilient botnets

  4. BitTorrent’s P2P Network Uses a DHT to track who is downloading what

  5. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F

  6. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F)

  7. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F) lookup hash (F) Wants to 
 download F Provides random subsets of current uploaders

  8. BitTorrent’s P2P Network Uses a DHT to track who is downloading what announce hash (F) Hosting 
 file named F Hosting hash (F) lookup hash (F) Wants to 
 download F Provides random subsets of current uploaders

  9. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots announce hash (F) Hosting Hosting hash (F) lookup hash (F) Downloading Random 
 subset

  10. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots announce hash (F) Date Every day, 
 bots are announcing Once per day File type their actions .i – “infect” .atk – “attack” Architecture MIPS little endian and their devices’ 
 MIPS big endian architectures ARM v5 ARM v6 ARM v7 Hajime’s design is primed for measurement!

  11. Hajime’s P2P Network ② Fetch files directly from one another announce hash (F) Hosting Hosting hash (F) lookup hash (F) Downloading

  12. Hajime’s P2P Network ② Fetch files directly from one another Hosting Key exchange Request File Downloading Keys provide long-lived identifiers

  13. Hajime’s P2P Network ① Uses BitTorrent’s DHT to find other bots Difficult to take down Hajime 
 (without also taking down BitTorrent) ② Fetch files directly from one another Difficult to centrally monitor Hajime is a resilient next step in IoT botnets

  14. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F) Random 
 subset

  15. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F)

  16. Measuring Hajime’s P2P network ① Exhaustively list all peers lookup hash (F) Hosting hash (F)

  17. Measuring Hajime’s P2P network ① Exhaustively list all peers i/mipseb/today atk/arm5/yesterday atk/arm7/today i/mipsel/tomorrow Every 16 minutes for 4 months 
 5,404,045 total IP addresses found

  18. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key Key exchange 10,536,174 total keys found

  19. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key NATs undercount bots based on IPs 120K 100K 80K Keys Iran 60K Mexico China India 40K South Korea United States Turkey 20K Russia Indonesia 0 0 20K 40K 60K 80K 100K Key exchange IPs 10,536,174 total keys found

  20. Measuring Hajime’s P2P network ② Obtain each Hajime bot’s public key IP reassignment overcounts bots based on IPs 900K 800K 700K 600K Iran 500K Keys Mexico China 400K India South Korea 300K United States Turkey 200K Russia Indonesia 100K Brazil 0 0 100K 200K 300K 400K 500K 600K 700K 800K 900K Key exchange IPs 10,536,174 total keys found

  21. Datasets Jan 25, 2018 – Jun 1, 2018 Key scans Reverse eng DHT scans 10,536,174 
 47 modules 
 5,404,045 
 unique keys 34 .atk, 13 .i unique IP addresses All available at iot.cs.umd.edu

  22. Analysis Questions Characteristics How large is the botnet? Where are bots located? What devices makeup the botnet? Dynamics How do exploits change the botnet? How quickly does Hajime update itself? How does Hajime deploy new exploits?

  23. How big is Hajime? 100K atk.mipseb update 90K .i.mipseb update 80K Number of distinct bots 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  24. How big is Hajime? 100K atk.mipseb update 90K .i.mipseb update 80K Number of distinct bots 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Peaks of 95K after Chimay-Red and GPON exploits Steady-state of ~40K bots

  25. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  26. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  27. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Russia expanded 
 Chimay-Red 500 → 6,000 hourly The geographic makeup of IoT botnets can change rapidly

  28. Where are bots located? Others Mexico S. Korea Russia Brazil China US Indonesia Iran India Turkey 100K 90K atk.mipseb update Number of distinct bots .i.mipseb update 80K 70K 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Russia expanded 
 Mostly affected 
 Chimay-Red GPON Mexico 500 → 6,000 hourly The geographic makeup of IoT botnets can change rapidly

  29. What CPU architectures are most infected? 100K atk.mipseb update 90K .i.mipseb update mipseb 80K Number of distinct bots mipsel arm7 70K arm6 arm5 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins)

  30. What CPU architectures are most infected? 100K atk.mipseb update 90K .i.mipseb update mipseb 80K Number of distinct bots mipsel arm7 70K arm6 arm5 60K 50K 40K 30K 20K 10K 0K 01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01 Time (20-minute bins) Devices overwhelmingly run MIPS 74.2% of bot devices are MIPS big-endian (mipseb)

  31. How does CPU architecture vary by country? 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico

  32. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico IoT botnets are highly heterogeneous across the world

  33. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Brazil China Iran India Korea US Turkey Russia Mexico New vulnerabilities can lead to drastic changes in geography

  34. How does CPU architecture vary by country? After the introduction of the GPON vulnerability 5M 5M 4M 4M unknown Number of distinct bots mipseb 600K mipsel arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico New vulnerabilities can lead to drastic changes in geography

  35. How does CPU architecture vary by country? Mexico changed from primarily ARM to primarily MIPS 5M 5M 4M 4M unknown mipseb Number of distinct bots mipsel 600K arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico Mexico after before GPON GPON New vulnerabilities can lead to drastic changes in geography

  36. How does CPU architecture vary by country? Mexico changed from primarily ARM to primarily MIPS 5M 5M 4M 4M unknown mipseb Number of distinct bots mipsel 600K arm7 arm6 500K arm5 400K 300K 200K 100K 0K Mexico Mexico after before GPON GPON New vulnerabilities can lead to drastic changes in geography and composition

  37. What devices are infected? DHT scans Censys

  38. What devices are infected? DHT scans Censys No device information on over 80% of bot IP addresses Of those identifiable: 0.8% MikroTik day before Chimay-Red 80.3% day after

  39. How quickly does Hajime disseminate module updates? % of mipseb bots hosting or looking up each file version 100 80 % of bots per atk version 60 40 20 0 100 80 % of bots per .i version 60 40 20 0 03-15 03-29 04-12 04-26 05-10 05-24 Time (20-minute bins)

Recommend


More recommend