Identifying and Characterizing Bashlite and Mirai C&C Servers
Identifying and Characterizing Bashlite and Mirai C&C Servers Gabriel Bastos∗, Artur Marzano∗, Osvaldo Fonseca∗, Elverton Fazzion∗y, Cristine Hoepersz, Klaus Steding-Jessenz, Marcelo H. P. C. Chavesz, Italo´ Cunha∗, Dorgival Guedes∗, Wagner Meira Jr.∗ ∗Department of Computer Science – Universidade Federal de Minas Gerais (UFMG) yDepartment of Computing – Universidade Federal de Sao˜ Joao˜ del-Rei (UFSJ) zCERT.br - Brazilian National Computer Emergency Response Team NIC.br - Brazilian Network Information Center Abstract—IoT devices are often a vector for assembling massive which contributes to the rise of a large number of variants. botnets, as a consequence of being broadly available, having Variants exploit other vulnerabilities, include new forms of limited security protections, and significant challenges in deploy- attack, and use different mechanisms to circumvent existing ing software upgrades. Such botnets are usually controlled by centralized Command-and-Control (C&C) servers, which need forms of defense. The increasing number of variants of these to be identified and taken down to mitigate threats. In this paper malwares makes the analysis and reverse engineering process we propose a framework to infer C&C server IP addresses using expensive, hindering the development of countermeasures and four heuristics. Our heuristics employ static and dynamic analysis mitigations. To address the growing number of threats, security to automatically extract information from malware binaries. We analysts and researchers need tools to automate the collection, use active measurements to validate inferences, and demonstrate the efficacy of our framework by identifying and characterizing analysis, and reverse engineering of malware. C&C servers for 62% of 1050 malware binaries collected using The C&C server is a core component of botnets, responsible 47 honeypots.
[Show full text]