Pwning the Core of IoT Botnets: From a Honeypot to Gigabytes of Botnet Source Code presented at BlackHatAsia2019 2019

by Tan Kean Siong,

Summary : With the leak of Mirai botnet source code back in 2016, countless IoT botnet variants have emerged and evolved as the new fashion trends. In this session, we love to share the interesting stories from single honeypot, leading to the discovery of gigabytes of botnet source code, and uncovering various dramatic scenes within the bot herders behind the curtain.In early 2017, we started to listen quietly to the Telnet traffic for fun after Mirai Botnet DDoS attacks. Multiple botnet variants emerge rapidly over the time with differing fancy names (e.g. OWARI, SATORI, MASUTA, SORA, JOSHO, OMG, and many more). By tracking the distinct characteristic with OSINT, we discovered various source code repositories surfaced and disappeared on the Internet over short periods, with the huge collection of IoT botnets source code. While reading some of the latest juicy source code, those new variants only be spotted in the wild after a few weeks.In addition, we stumbled upon various interesting dramatic scenes and a turf war between the bot herders, e.g gained access and wiped out others' botnet for territorial fight, delivered sneaky backdoor-ed exploit scripts to the peers publicly, involved in DDoS attack on financial institute with the purpose of showcasing the power of the DDoS bandwidth, 'bashing' well-known IoT botnet security researchers who discovered their botnets.All of these were kick-started from just a single home-based IoT honeypot for the threat hunt.