Raphael Springer
Andreas Klopsch 🗣 | Chris Dietrich 🗣 | Raphael Springer 🗣
Abstract (click to view)
Since December 2019, we have reverse engineered and tracked the activity and infection population of a botnet family referred to as Mozi that infects Linux-based Internet-of-Things (IoT) devices. Mozi implements a peer-to-peer (P2P) command-and-control (C2) channel based on the BitTorrent protocol. This makes Mozi an interesting target for analysis as it allows to gather intelligence on the infection population across IoT devices. In addition, we’d like to highlight in particular how this makes it difficult for takedowns.
The steady growth of the IoT sector results in an evolving malware landscape targeting those devices. Since Mirai was used in large-scale DDoS attacks in 2016, affecting services as well known as Dyn and the Krebs on Security blog, the potential of IoT botnets has become obvious. Nearly four years later, several further botnet families have originated and infect Linux-based IoT devices. We intend to present an overview of the IoT botnet landscape and its development while highlighting a few key botnets that deserve particular attention, such as Hajime, Torii, VPNFilter and Mozi.