IIT Home Page CNR Home Page

Sagishi: an undercover software agent infiltrating IoT botnets

Internet of Things (IoT) devices are continuously proliferating. In fact, by 2030, up to 125 billion devices will be connected to the Internet. Directly related to the proliferation of IoT devices is the proliferation of IoT malware and, in particular, IoT botnets. Mapping and classifying bots forming part of IoT botnets and how these propagate over the Internet is a challenging task. Fooresec aimed to address this issue by footprinting, reporting and remotely securing IoT devices that had been previously turned into bots. Its activities were based on honeypots that were able to ‘sense’ the Internet solely in order to map and classify IoT bots according to their behaviours. In order to have a more detailed understanding of the aforementioned phenomenon, other elements of a botnet, apart from bots, could be taken into account: malware samples collected by honeypots contain relevant pieces of information about the global structure of the botnet, such as command and control (C&C) servers, hostnames and/or IP addresses, relevant TCP/UDP ports (from now on, for the sake of simplicity, we will refer to these by using the terms ‘addresses’ and ‘ports’) and so on. These features of the botnet can be used by a software agent for infiltrating the botnet, then collecting pieces of information otherwise unavailable. In fact, this agent, which is capable of emulating the behaviour of a genuine infected host, can fool the C&C and discover commands issued by the botnet master. A software architecture with the aforementioned characteristics is described in this article. The most important part of the architecture is Sagishi (‘swindler’ in Japanese) which is the software agent mentioned earlier and implemented in our working prototype of the described architecture. This was used to collect data over a 49-day period. In order to indicate the validity of the approach, some results, produced from the collected data, are also presented.

Network Security Journal, 2019

IIT authors:

Andrea Oliveri

Foto di Andrea Oliveri

Type: Contributo in rivista non ISI
Field of reference: Information Technology and Communication Systems

File: 20190116-Lauria-Oliveri.pdf
Da pagina 9 a pagina 14

Activity: Dual Stack Network Monitoring