Generic signature development for IoT Botnet families

Abstract As the source code of various IoT botnet families including Mirai has been made publicly available, the adversaries are drastically introducing new variants of these IoT Botnet families. However, there is a lack of generic mechanism for the detection of these emerging variants. As a consequence, it is infeasible for security solution providers to effectively identify new variants of IoT botnets. In this paper, we have done static code analysis of 17 IoT botnet variants of family Mirai and Qbot in order to dig out the attacker's perspective, generic behavior, employed technologies and implemented techniques. With the help of this analysis, we have identified generic behavioral patterns of IoT botnets and have developed generic signatures for the identification of IoT botnets. These signatures includes identification on the basis of CPU architectures, Bot control commands, Bot scanning commands, obfuscation methods, botnet specific exploits and attacks. A comparative analysis of analyzed IoT-Botnet families has been presented. For the evaluation of identified signatures, we first tested them on unknown Mirai and Qbot variants and gained a detection rate of 100% for both the variants. Secondly, we tested those signatures on other IoT-Botnet families: IRC-Bot, Perl ShellBot, Trick-Bot and gained a detection rate of 98%, 96.79% and 98.2% respectively. Further, we have presented open research challenges in the field of IoT-Botnet detection. This research will enhance IoT botnets understanding and pave the way for generic detection and prevention methods of IoT botnets.