Inferring and Investigating IoT-Generated Scanning Campaigns Targeting a Large Network Telescope

Abstract

The analysis of recent large-scale cyber attacks, which leveraged insecure Internet of Things (IoT) devices to perform malicious activities on the Internet, highlighted the rise of IoT-tailored malware/botnets. These malware propagate by scanning the Internet for vulnerable, exploitable IoT devices that could be utilized for further malicious activities. In this article, we devise a multi-level methodology to investigate Internet-scale reconnaissance activities generated by infected IoT devices. We leverage the <monospace>Shodan</monospace> IoT search engine and over 6TB of passive network traffic from a large network telescope (darknet) to infer compromised IoT devices and characterize the generated scanning campaigns. The results highlight a distinctive characteristic of IoT malware/botnets, represented by the targeted ports/services over the analysis interval. Furthermore, while these ports/services are mainly associated with well-known IoT malware/botnets (e.g., <monospace>Mirai</monospace> and <monospace>Satori</monospace>), we uncovered newly targeted ports, which indicate emerging IoT malware/botnet. Finally, by comparing two instances of analyzed IoT-generated scanning campaigns, we highlight the persistence and evolution of IoT malware/botnets (e.g., <monospace>ADB.Miner</monospace> and <monospace>Fbot</monospace>), which exploit existing, and in some cases, possibly new vulnerabilities.