The End of the Canonical IoT Botnet: A Measurement Study of Mirai's Descendants

TL;DR

This study measures and compares two major IoT botnet descendants, Hajime and Mozi, revealing they have diverged significantly from their common ancestor, indicating the end of a single canonical IoT botnet.

Contribution

The paper introduces a robust measurement infrastructure and provides empirical evidence that Hajime and Mozi have evolved into distinct botnets with minimal overlap, challenging the notion of a single canonical IoT botnet.

Findings

Hajime and Mozi have virtually no overlapping IP addresses.

They exhibit different behaviors to network events like diurnal rate limiting.

The divergence indicates multiple distinct IoT botnets now exist.

Abstract

Since the burgeoning days of IoT, Mirai has been established as the canonical IoT botnet. Not long after the public release of its code, researchers found many Mirai variants compete with one another for many of the same vulnerable hosts. Over time, the myriad Mirai variants evolved to incorporate unique vulnerabilities, defenses, and regional concentrations. In this paper, we ask: have Mirai variants evolved to the point that they are fundamentally distinct? We answer this question by measuring two of the most popular Mirai descendants: Hajime and Mozi. To actively scan both botnets simultaneously, we developed a robust measurement infrastructure, BMS, and ran it for more than eight months. The resulting datasets show that these two popular botnets have diverged in their evolutions from their common ancestor in multiple ways: they have virtually no overlapping IP addresses, they exhibit different behavior to network events such as diurnal rate limiting in China, and more. Collectively, our results show that there is no longer one canonical IoT botnet. We discuss the implications of this finding for researchers and practitioners.