DACS, University of Twente, 7522 NB Enschede, The Netherlands.
CERT.br, Brazilian National Computer Emergency Response Team, Brazil, São Paulo 05801-000, Brazil.
Sensors (Basel). 2019 Feb 11;19(3):727. doi: 10.3390/s19030727.
IoT botnets have been used to launch Distributed Denial-of-Service (DDoS) attacks affecting the Internet infrastructure. To protect the Internet from such threats and improve security mechanisms, it is critical to understand the botnets' intents and characterize their behavior. Current malware analysis solutions, when faced with IoT, present limitations in regard to the network access containment and network traffic manipulation. In this paper, we present an approach for handling the network traffic generated by the IoT malware in an analysis environment. The proposed solution can modify the traffic at the network layer based on the actions performed by the malware. In our study case, we investigated the Mirai and Bashlite botnet families, where it was possible to block attacks to other systems, identify attacks targets, and rewrite botnets commands sent by the botnet controller to the infected devices.
物联网僵尸网络已被用于发起分布式拒绝服务 (DDoS) 攻击,影响互联网基础设施。为了保护互联网免受此类威胁并改进安全机制,了解僵尸网络的意图并描述其行为至关重要。当前的恶意软件分析解决方案在面对物联网时,在网络访问控制和网络流量操纵方面存在局限性。在本文中,我们提出了一种在分析环境中处理物联网恶意软件生成的网络流量的方法。所提出的解决方案可以根据恶意软件执行的操作修改网络层的流量。在我们的案例研究中,我们调查了 Mirai 和 Bashlite 僵尸网络家族,在该案例中,我们能够阻止对其他系统的攻击、识别攻击目标,并重写僵尸网络控制器发送到受感染设备的僵尸网络命令。
