Analyzing the Propagation of IoT Botnets from DNS Leakage

Mirai and Hajime are two large botnets that came to prominence in the Fall of 2016, notably due to Mirai’s launching of several large DDoS attacks. The propagation method of the two botnets is similar, drawing upon poor security measures in IoT devices. While reverseengineering efforts have detailed the propagation logic, measuring the actual growth of each botnet remains difficult, with current methods based on honeypot traffic analysis. This paper presents an alternative method for measuring the macro behavior of Mirai and Hajime that is based on failed infection attempts that leak into the DNS requests of the intended victim. This unexpected backscatter is due to the subtleties of a remote code execution vulnerability that Mirai and Hajime exploit for propagation. We analyze the growth and behavior of the two botnets using passive DNS collection at a root nameserver, and using active measurements taken by participating in the BitTorrent DHT, which Hajime uses to help disseminate its payloads. In contrast to honeypots, our methods provide a unique longitudinal and global view of the botnets’ evolution.