Uroz, Daniel; Rodr'ıguez, Ricardo J.; Gañán, Carlos H.
Poster: Empirical Analysis of Lifespan Increase of IoT C&C Domains Proceedings Article
In: Proceedings of the 2024 ACM on Internet Measurement Conference, pp. 767–768, Association for Computing Machinery, Madrid, Spain, 2024, ISBN: 9798400705922.
Abstract | Links | BibTeX | Tags: c&c lifetime, iot malware
@inproceedings{UrozRG-IMC-24,
title = {Poster: Empirical Analysis of Lifespan Increase of IoT C&C Domains},
author = {Daniel Uroz and Ricardo J. Rodr'ıguez and Carlos H. Gañán},
doi = {10.1145/3646547.3689670},
isbn = {9798400705922},
year = {2024},
date = {2024-01-01},
booktitle = {Proceedings of the 2024 ACM on Internet Measurement Conference},
pages = {767–768},
publisher = {Association for Computing Machinery},
address = {Madrid, Spain},
series = {IMC '24},
abstract = {The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information.},
keywords = {c&c lifetime, iot malware},
pubstate = {published},
tppubtype = {inproceedings}
}
The increasing prevalence of Internet of Things (IoT) devices have made them attractive targets for malware, highlighting the critical need to understand the dynamics of IoT Command and Control (C&C). While previous research observed short-lived C&Cs, recent observations indicate that the lifespan of domain names linked to IoT botnets is extending, deviating from previously recorded survival rates. To understand and characterize this emerging trend, we collected and examined 1049 IoT malware samples from late 2022 to early 2023, identifying 549 unique domains contacted by these samples. Domains were classified as malicious if detected by VirusTotal or followed a Domain Generation Algorithm pattern. Using data from WhoisXMLAPI and DNSDB Scout, we analyzed registration information and historical DNS resolutions, and identified relationships. Our findings reveal that the majority of C&C domains belong to Qsnatch and Mirai malware families, with an average lifespan of 2.7 years. Notably, seven active domains had an average lifespan of 5.7 years. We also observed a significant number of domains under the .vg and .ws TLDs, but with lack of passive DNS and registration information.