See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/338297464

Analyzing Variation Among IoT Botnets Using Medium Interaction Honeypots

Conference Paper · January 2020

DOI: 10.1109/CCWC47524.2020.9031234

CITATIONS READS
0 302

3 authors, including:

Iman Vakilinia Shamik Sengupta

University of North Florida University of Nevada, Reno
23 PUBLICATIONS   139 CITATIONS    118 PUBLICATIONS   1,475 CITATIONS   

SEE PROFILE SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Scalable Distributed Event and Intrusion Detection Systems (DEIDS) for Cyber-Physical Power Systems View project

All content following this page was uploaded by Iman Vakilinia on 01 January 2020.

The user has requested enhancement of the downloaded file.

 Analyzing Variation Among IoT Botnets Using
Medium Interaction Honeypots
Bryson Lingenfelter Iman Vakilinia Shamik Sengupta
Dept. of Computer Science and Eng. School of Computing Dept. of Computer Science and Eng.
University of Nevada, Reno, NV, USA University of North Florida, FL, USA University of Nevada, Reno, NV, USA
[email protected] [email protected] [email protected]

Abstract—Through analysis of sessions in which files were the attacker can enter commands and see believable output
created and downloaded on three Cowrie SSH/Telnet honeypots, without having access to a real system [4]. This is an ideal
we find that IoT botnets are by far the most common source of environment for tracking the state of IoT botnets, which are
malware on connected systems with weak credentials. We detail
our honeypot configuration and describe a simple method for easy to capture samples from because they are automated and
listing near-identical malicious login sessions using edit distance. not able to perform honeypot detection as thoroughly as a
A large number of IoT botnets attack our honeypots, but real attacker. We collect data using the open source Cowrie
the malicious sessions which download botnet software to the honeypot, which is a continuation of the Kippo honeypot.
honeypot are almost all nearly identical to one of two common Kippo/Cowrie honeypots have previously been used to cluster
attack patterns. It is apparent that the Mirai worm is still the
dominant botnet software, but has been expanded and modified login sessions based on session time and attacker skill [5], and
by other hackers. We also find that the same loader devices deploy visualize attacker location and common commands [6].
several different botnet malware strains to the honeypot over the In this paper we describe a honeypot configuration based on
course of a 40 day period, suggesting multiple botnet deployments the Cowrie SSH/Telnet honeypot for capturing remote login
from the same source. We conclude that Mirai continues to be sessions and downloaded files, expanding from our previous
adapted but can be effectively tracked using medium interaction
honeypots such as Cowrie. work analyzing password attempts [7]. For our analysis, we
Index Terms—Botnet, Honeypot, Internet of Things, Mirai look at sessions which created and downloaded files. Login
session analysis has previously been done using high inter-
I. I NTRODUCTION action honeypots and classifying each command as part of
a specific state [8]. We instead describe a simple method
Shortly after the Mirai malware made headlines in 2016 due
for clustering these sessions using edit distance to enumerate
to its usage in a 620 Gbps attack against krebsonsecurity.com
identical attack patterns. In light of these sessions almost
[1], the botnet code was publicly released as open source
universally being associated with the Mirai malware, we
software. The original version of Mirai targeted vulnerable
provide discussion of Mirai’s functionality. Previous work pro-
Internet of Things (IoT) devices using a short wordlist based
vides complete description of the original malware’s behavior,
on default username and password combinations, amassing an
architecture, and attack methods [9], [10]; we instead focus on
army of hundreds of thousands of connected devices using
how much Mirai has been modified. There is some existing
just these credentials. The release of Mirai’s source code
work in this area. Y. Liu and H. Wang [11] use branch name,
has resulted in numerous clones and modifications by other
configuration, IP addresses, attack methods, and credential
malicious actors which have expanded upon the attacks present
dictionaries to distinguish between binary files from different
in the original version of Mirai. Despite receiving much
Mirai variants. Other work describing Mirai has identified
attention after the 2016 attacks, IoT security is still a major
versions which target different ports and devices [10].
issue and new botnets appear regularly. As a result, there is a
Using our clustering results, we note how many different
need to keep track of developments in IoT botnets so current
Mirai variants attack our honeypots and how much they differ
attacks can be appropriately dealt with.
from one another and the publicly available Mirai source code
Honeypots are a popular technique for capturing malicious
in terms of commands entered, choice of filler words, and
activity. They provide a sandbox environment for malicious
downloaded files. We aim to provide an idea of the amount of
actors to attack, recording each action for later analysis. Hon-
variation present in Mirai attacks both in terms of number
eypots have been used for a wide range of tasks, such as attack
of distinct variants and variation amount. We also provide
pattern comparison, root cause identification, risk assessment,
analysis of variation in files from apparently identical malware
attack frequency analysis, and attack origins analysis [2].
loaders as well as identical IP addresses and find that many IP
Medium interaction honeypots such as Cowrie [3] provide a
addresses serve as loader servers for multiple strains of Mirai-
fake shell and virtual file system to the attacker, such that
based botnets. Finally, we provide information on other attacks
This research is supported by the National Science Foundation (NSF), USA, observed by the honeypot to give some perspective regarding
Award #1739032. the prevalence of Mirai.
 II. M ETHODOLOGY access to Elasticsearch and Kibana via an ssh tunnel through
A. Honeypot Configuration the mail server. This allows us to remotely access ELK without
needing to expose the server publicly.
Malware data was collected from 3 honeypots running
the Cowrie SSH/Telnet honeypot [3], the continuation of the B. Dataset
popular Kippo honeypot. The Cowrie honeypot is a medium-
Every event Cowrie adds to its log has a structure defined
interaction honeypot which provides a dummy shell imple-
by the event type, such as cowrie.login.success and
mented in python to the attacker with a virtual filesystem
cowrie.command.input. Each event, regardless of type,
and prefab command outputs. Cowrie can be used to emulate
has a session id field that can be used to identify events
an IoT system by setting the prefab outputs to be consistent
generated by the same session. To collect the data for this
with actual IoT devices, and is therefore a good environment
paper, we enumerated every unique session id associated with
for observing IoT botnets without the overhead of a high-
a cowrie.session.file_download event and used
interaction honeypot. Cowrie has also been modified multiple
Elasticsearch to collect all other events for these ids. The
times during its development specifically in response to issues
file download event is used for both downloads from remote
where sessions from the Mirai malware didn’t result in a file
servers and files created during the login session, so we
download, making it particularly good for capturing samples
consider both for our analysis. The data was collected over
of Mirai.
a period of 40 days, from 4 February 2019 to 15 March 2019,
We made minimal alterations to Cowrie’s default config-
and consists of 84,602 unique login sessions. These sessions
uration as of February 2019. Cowrie’s userdb was modified
account for 21.2% of the 398,233 session dataset; that is,
slightly to allow login for the three default cowrie users
roughly 20% of the time a connection was initiated with a
(root, tomcat, and oracle) given any password. Additionally,
honeypot it resulted in a successful login followed by a file
the honeypot was configured to accept both ssh and telnet
creation or download. These login sessions resulted in a total
connections on ports 22/2222 and 23/2223, respectively. This
of 312 unique files collected by the honeypot.
was done to allow as much traffic as possible. Each honeypot
had an Apache webserver running on port 80 associated with C. Attack Pattern Comparison
a registered domain name and static web page. Finally, each
To identify identical attack patterns, each session was en-
honeypot had a Postfix mailserver running on port 25 with
coded as a list of the first argument for each command entered
several valid email accounts set up. Each portion of the
by the attacker. For example, if an attacker logged in, typed
honeypot (login, web, and mail) ran on a separate virtual
cat /proc/mounts followed by echo test, then ended
machine and received traffic through port forwarding. For the
the session, the encoded list would be ["cat", "echo"].
analysis in this paper, only the Cowrie component is necessary.
A command containing ; (which most shells treat as end
of line), but not commands with && or ||, was split into
multiple commands. If the first argument was a shell such
as /bin/busybox or /bin/bash we instead use the
second argument, which is the first argument to the shell
being called. To identify identical attack patterns, Levenshtein
distance between lists of arguments was used as a similarity
metric. Levenshtein distance computes the number of edits
(substitution, insertion, and deletion) required to match two
sequences of non-equal length, providing a rough estimation of
similarity between login sessions. Edit distance has previously
been used for applications such as root cause analysis [12].
The metric was normalized by dividing by its upper bound,
the largest number of arguments in either session. This metric
Fig. 1. Configuration of the honeypot used for data collection. Three
honeypots were deployed in this manner. does not consider state or different but functionally identical
commands, but is sufficient for identifying connections from
To aggregate logs from the web and ssh servers, we used bots using the same code. Based on the results shown in Figure
Filebeat to ship logs to a server running the ELK stack, 2, we consider attack patterns identical if their normalized
composed of Elasticsearch, Logstash, and Kibana. Logstash distance is less than 0.25
is used to transform the JSON data generated by Cowrie and
the Combined Log Format data generated by Apache into the III. S ESSION A NALYSIS
format used by the Elasticsearch search and analytics engine. The two most common attack patterns seen on the honeypot
We make an ssh server available on the Postfix machine by are closely related to publicly available Mirai loader code.
forwarding port 22222 on the pfsense router to port 22 on These two attack patterns account for 97.7% of the dataset, as
the mail server. We also make the ELK machine accessible well as 244 out of the 312 unique files. 236 of these files were
through ssh over port 22 from the internal network, allowing identified as strains of the Mirai IoT botnet malware by at least
 the system’s cpu architecture by reading the header for the
echo system binary using cat, and checking for wget
and tftp, the loader downloads a file using wget then
attempts to execute it. In the publicly released Mirai loader,
the downloaded file is a variant of Mirai for the compromised
system’s cpu architecture. We note that all malware collected
by the honeypot was compiled for x86 systems, which is
consistent with the x86 64 architecture displayed by Cowrie.
Fig. 2. Histogram of distance measures for the two most common attack The most common attack pattern follows the same logic as
patterns. For both patterns, there is a clear distinction between distances less the Mirai source code, but does not use the same commands.
than .25 and distances greater than .25. Instead of using echo to save raw hex to a file, this pattern
uses > to create empty files in several directories then attempts
one antivirus software used by the VirusTotal antivirus report to cd to those directories if the redirection was successful.
aggregator [13]. Of the remaining eight, six were identified Unlike in the original Mirai loader, the attacker in this case
by at least one source as Gafgyt, another earlier IoT botnet does not remove any of the created files. Additionally, this
malware with behavior very similar to Mirai [14] [15], and pattern uses read to obtain a binary file header if cat
the other two were not flagged as malware by any antivirus fails. However, after a writable directory is found and the
at the time we submitted them for analysis. The two attacks cpu architecture is determined the loaders are identical. This
are entirely accounted for by 125 unique IPs, of which 16 are pattern is far more common than the previous pattern, and
common to both attacks. accounts for 74.3% of the observed sessions.
To better understand the observed botnet loader sessions, Most of the differences internal to each attack pattern are
we provide a brief description of Mirai’s spreading function- related to the first commands entered by the loader. We define
ality. The Mirai botnet grows through scanning of randomly these commands as everything coming before the first >
generated IPs by infected devices. When an infected device for the most common pattern and everything coming before
detects another vulnerable device, it sends the credentials it the first echo for the second most common pattern. All
used to access that vulnerable device to a report server. After loaders generally begin with enable, shell, and sh, in
a certain period of time, a loader device then connects to which the attacker attempts to gain access to privileged-mode
the compromised device using the reported credentials and commands and run a Bourne shell [17]. Minor variations on
downloads and executes the Mirai malware to add the device these commands show up in different loaders, as shown in
to the botnet. A visual depiction of this behavior is provided Table 1. It appears that different attackers use the same loader
in Figure 3. structure, but make minor modifications to the first commands
run by the loader.

TABLE I
I NITIAL COMMANDS FOR MOST COMMON ATTACK PATTERN

Occurrences Command Sequence

10,339 enable, system, linuxshell, shell, sh
92 enable, system, shell, ping, sh, sh
51,867 enable, system, shell, sh
147 enable, system, shell, sh, linuxshell
305 shell, sh
117 system, shell, sh

Every loader following the second pattern then checks the

response to an arbitrarily chosen filler keyword which is titled
TOKEN_QUERY in the Mirai source code [16]. The expected
response to this query, titled TOKEN_RESPONSE in the Mi-
Fig. 3. Diagram showing how scans from a Mirai botnet result in attempted
infection by a loader device. rai source code, is TOKEN_QUERY: applet not found.
This is the response generated by the IoT devices targeted by
The second most common attack pattern, which accounts Mirai, which use the Busybox shell. We observed a total of
for 23.4% of the observed sessions, appears to directly use the 45 unique choices for this variable, 34 of which showed up
loader server code from the public release of the Mirai source in the most common attack pattern and 12 of which showed
code [16]. The loader attempts to find a writable directory by up in the second attack pattern (1 was used for both). After
repeatedly redirecting output from echo to a file in one of receiving TOKEN_RESPONSE from the victim device, loaders
several different directories, attempting to read the file using following the second attack pattern almost always then use ps
cat to see if this succeeded, then removing the file with rm. and cat /proc/mounts to further fingerprint the system.
After finding a writable directory in this manner, determining The first pattern always forgoes these checks.
 The IP addresses observed in the most common two attack
patterns follow an exponential distribution. In both patterns,
the majority of IP addresses were seen under 100 times,
but the most common IP addresses were seen upwards of
10,000 times. This is shown in Figure 4, which plots the IP
distribution on a logarithmic scale. Although there are a large
number of active botnets, a small portion of them account for
the majority of malicious file uploads on the honeypot.

Fig. 4. Frequency of IP addresses for most common two attack patterns,

plotted on a logarithmic scale.

These two patterns do not account for every strain of Mirai

loader seen on the honeypot. A far less common attack which Fig. 5. Distance matrix of ssdeep hashes for Mirai samples from second
attack pattern, grouped by choice of TOKEN QUERY. Darker blues indicate
accounts for just .415% of the dataset (315 sessions from a higher similarity score.
1 IP), is near identical to the original Mirai source code
with substantial modifications to the first few commands.
Additionally, Mirai sessions which did not use echo or >
files. Distances between malware samples are calculated using
to create files and did not result in an attempted file download
ssdeep, a context-triggered piecewise hashing algorithm [20].
are not included in the dataset.
Ssdeep is not robust for detecting functionally identical files
which don’t have identical bytes or modifications which alter
IV. F ILE A NALYSIS
the context triggering [21]. For example, we found through
Manual inspection of the binary files downloaded by the static analysis that the “iDosYou” strain is near identical to
two forms of Mirai loader demonstrates a large amount the “daddyl33t” strain with a few additional subroutines in
of variation in binaries even for identical loaders. At least the middle of the binary, but ssdeep indicates these files have
11.9% of the files are packed, with that percentage of files 0% similarity. However, ssdeep has very good precision [21]
containing “packed with the UPX executable packer,” the and malware considered highly similar are therefore likely to
most popular binary packer among malware authors [18]. represent very minor modifications of the same code. This
Some malware contains specific identifiers, such as “Botnet can be seen in Figure 5 in that files with different values for
Made By greek.Helios,” “Botnet Made By R2F,” and “Edit TOKEN_QUERY are never detected as similar by ssdeep. For
by Zer0x.” 22.1% of the collected files contain the string the filler words accounting for the most variance in file hashes,
“/ctrlt/DeviceUpgrade 1,” indicative of an attack targeting however most of the unique files observed are near identical.
CVE-2017-17215 [19]. Additionally, 13.1% of the files were For most of the files collected from the “iDosYou” loader,
compiled for 64 bit systems and 86.9% were compiled for 32 which accounted for the most unique files in the second most
bit systems. To categorize the malware, we use the choice common pattern, the only apparent difference is a single IP
of TOKEN_QUERY, which is apparent in both loaders. In which varies from sample to sample. This suggests that this
addition to appearing at the beginning of the session for same malware is associated with many different loader servers.
the second attack pattern, for both attacks TOKEN_QUERY is To better understand the scope of attacks against the honey-
placed after some commands so that successful completion pot, each session was reduced to a mapping between IP and the
of the command will be followed by TOKEN_RESPONSE. hash of the file downloaded during the session. This analysis
Mirai variants commonly, though not always, use differ- was done separately for each attack pattern. The data does
ent filler words in their loader. Figure 5 shows the dis- not display a one-to-one mapping between IP address and file
tance matrix for TOKEN_QUERY for the second most com- hash; some IPs download different files in other sessions, and
mon attack pattern, from which it can be seen that similar some files are downloaded by multiple IPs. Interestingly, for
choices of TOKEN_QUERY in the loader correspond to near- the most common attack pattern the cardinality of the file set
identical loaded malware. Lines separate different choices of is larger than the cardinality of the IP set. This can be seen
TOKEN_QUERY, and shaded cells indicate similarity between in Figure 6, which provides a weighted mapping between IP
Fig. 6. Mapping between IP addresses and file hashes for the most common attack pattern. White indicates the IP and file never appeared together, otherwise
the color ranges from dark purple (IP and hash appeared together few times) to yellow (IP and hash appeared together many times).

addresses and files.

Fig. 8. Mapping between TOKEN QUERY and FN BINARY for the second
pattern.
Fig. 7. Mapping between IP addresses and file hashes for the second most
common attack pattern. The first column is an empty file hash (no file was
downloaded).
demonstrating similar variation in packing and attack methods.
It appears common for attackers to change the botnet con- We surmise that attackers deploy different strains over time to
nected to a loader device, resulting in the same IP attacking the expand their botnets further, or different hackers take over the
honeypot with several different strains of the Mirai malware. same loader device. We again note that 16 of the 125 unique
It is far more rare, in contrast, for different IP addresses to IPs associated with the two most common attacks launched
download the same malware to the honeypot. While many both the most common attack pattern and the second most
unique files are presumably minor updates to existing files, it common attack pattern, indicating that the same IP addresses
is clear that many IPs are downloading highly distinct variants are used for different botnet architectures entirely.
of Mirai. One IP address, for example, downloaded five unique An entirely different relationship between file hash and IP
files to the honeypot. Three of the five were signed in ASCII address is apparent in the second most common attack pattern.
by one of two authors. One was packed with UPX, and Unlike the first pattern, in which every session results in a file
two contain strings indicating an attack attempting to exploit being downloaded to the system, file downloads frequently
CVE-2017-17215. Another IP downloaded 29 unique files, fail to be captured in the second attack. This can be seen
 Fig. 9. Mapping between IP address and TOKEN QUERY variable for the most common attack.

in the mapping between IP address and file hash, shown in

Figure 7. The majority of IP addresses show up in the first
column, representing an empty hash (meaning no files were
downloaded). Additionally, the number of unique files is no
longer greater than the number of unique IPs for this attack.
Another observation from the two Mirai loader attacks is
the mapping between TOKEN_QUERY and the name of the
downloaded binary (FN_BINARY), shown in Figure 8. In the
leaked Mirai source code, these two variables are defined
as “ECCHI” and “dvrHelper” (we note that this is different
from the samples of Mirai collected before its release, where
“MIRAI” was used rather than “ECCHI” [14]). Mirai variants
are sometimes named after their choice for TOKEN_QUERY,
as we have done in this paper. While the mapping between
TOKEN_QUERY and FN_BINARY is fairly diagonal, there are Fig. 10. Frequency of IP addresses for the ssh brute-force attack, plotted on
a few cases where two FN_BINARY variables map to the same a linear scale.
TOKEN_QUERY and vice versa. This seems to indicate that
malware is further modified by other attackers, resulting in
variants of variants. We also suggest some malware authors downloading sessions unaccounted for. Most of these are an
chose to use the same TOKEN_QUERY variable as existing ssh-based attack which accounted for 1.55% of the unique
strains. sessions. This attack was short and simple; an attacker logged
The TOKEN_QUERY variable can be further used to show in, tried several methods of keeping the server from tracking
that the same IP addresses are launching a wide range of their bash history, uploaded an ssh public key, then logged
attacks. As shown in Figure 9, there is not a clear relationship out. Due to the sandbox nature of the Cowrie honeypot, the
between IP address and the choice of this variable. Unlike the ssh key would be saved but unusable for remote login. Despite
mapping between IP address and file hash, which is mostly di- only accounting for under 2% of the dataset, this attack had
agonal, the mapping between IP address and TOKEN_QUERY by far the largest number of unique IPs. Of the 1,312 unique
is scattered. Most filler words are associated with a large range sessions, 564 were from unique IPs. This is more than four
of loader server IPs and many IPs are associated with two or times the number of IPs observed by the most common two
more loader strains. This is consistent with our observation attack patterns, despite those patterns accounting for almost
from mapping between IP address and file hash that the same the entire dataset.
IP addresses are launching a variety of different attacks. The majority of the remaining sessions (.171% of the total
dataset; 145 sessions from 9 IPs) appear to be a simplified
V. OTHER ATTACKS
version of the Mirai loader. The attacker uses the same few
By removing common Mirai attacks from our dataset, initial test commands as the Mirai loader, but instead of
we can gain a better understanding of attacks against the performing any further checks using echo, rm, and output
honeypot which are not related to IoT botnets. Accounting redirection, the attacker simply downloads a bash script that
for the common three Mirai patterns leaves 1.879% of file- attempts to download binaries compiled for different archi-
tectures until one works. The remaining 133 sessions in the [8] D. Ramsbrock, R. Berthier, and M. Cukier, “Profiling attacker behavior
dataset vary widely in attack type. In two different attack following ssh compromises,” in 37th Annual IEEE/IFIP International
Conference on Dependable Systems and Networks (DSN’07), June 2007,
patterns, accounting for 19 sessions, the attacker logs in using pp. 119–124.
ssh and downloads a perl script which tries to add the honeypot [9] M. Antonakakis, T. April, M. Bailey, M. Bernhard, E. Bursztein,
to an IRC-based botnet. In one attack pattern, accounting for J. Cochran, Z. Durumeric, J. A. Halderman, L. Invernizzi, M. Kallitsis,
D. Kumar, C. Lever, Z. Ma, J. Mason, D. Menscher, C. Seaman,
2 sessions, an attacker logs in using ssh and downloads a N. Sullivan, K. Thomas, and Y. Zhou, “Understanding the mirai botnet,”
coin-mining malware. In a few particularly strange sessions, in 26th USENIX Security Symposium (USENIX Security 17). Vancouver,
the attacker spends three minutes repeatedly downloading and BC: USENIX Association, 2017, pp. 1093–1110. [Online]. Avail-
able: https://www.usenix.org/conference/usenixsecurity17/technical-
attempting to run a shell script similar to the one downloaded sessions/presentation/antonakakis
by the simplified mirai loader. [10] C. Kolias, G. Kambourakis, A. Stavrou, and J. Voas, “Ddos in the iot:
Mirai and other botnets,” Computer, vol. 50, no. 7, pp. 80–84, 2017.
[11] Y. Liu and H. Wang, “Tracking mirai vari-
VI. C ONCLUSION ants.” Virus Bulletin, 2018. [Online]. Available:
https://www.virusbulletin.com/uploads/pdf/magazine/2018/VB2018-
Mirai remains a major security issue, with botnet attacks on Liu-Wang.pdf
vulnerable telnet ports being by far the most common attack [12] F. Pouget and M. Dacier, “Honeypot-based forensics,”
to download or create files. We also observe ssh attacks and in AusCERT Asia Pacific Information technology Security
Conference 2004, Brisbane, Australia, 2004. [Online]. Available:
older, IRC-based botnet attacks, but these are by far in the http://www.eurecom.fr/publication/1417
minority. We show that the Cowrie honeypot is an effective [13] Virustotal. [Online]. Available: virustotal.com
system for collecting samples of Mirai and Mirai sessions, [14] MalwareMustDie. (2016, August) Mmd-0056-2016 - linux/mirai,
how an old elf malcode is recycled.. [Online].
and identical loader sessions can be found by using simple Available: http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-
edit distance between command sequences. From the data linuxmirai-just.html
collected by our honeypots, we find that a relatively small [15] G. Kambourakis, C. Kolias, and A. Stavrou, “The mirai botnet and
the iot zombie armies,” in MILCOM 2017 - 2017 IEEE Military
number of loader devices running an even smaller number of Communications Conference (MILCOM), Oct 2017, pp. 267–272.
loader code bases are responsible for a wide range of botnet [16] Mirai-source-code. [Online]. Available:
attacks based on Mirai. We conclude that Mirai is directly https://github.com/jgamblin/Mirai-Source-Code/
[17] S. Edwards and I. Profetis, “Hajime: Analysis of a decentralized internet
or indirectly responsible for a vast number of attacks on IoT worm for iot devices,” Rapidity Networks, October 2016. [Online].
devices, but can be easily tracked using medium interaction Available: https://security.rapiditynetworks.com/publications/2016-10-
honeypots and sequence matching. 16/hajime.pdf
[18] K. A. Roundy and B. P. Miller, “Binary-code obfuscations in prevalent
For future work, analysis could be expanded by faking packer tools,” ACM Computing Surveys (CSUR), vol. 46, no. 1, p. 4,
different operating systems using Cowrie to collect a wider 2013.
range of files. Additionally, more in-depth analysis of the [19] Huawei router hg532 - arbitrary command execution. [Online].
Available: https://www.exploit-db.com/exploits/43414
collected files would be needed to gain a better understanding [20] J. Kornblum, “Identifying almost identical files using context triggered
of how much downloaded files vary between strains. While piecewise hashing,” Digital Investigation, vol. 3, pp. 91–97, Sep. 2006.
ssdeep shows which files are nearly identical, it is not robust [Online]. Available: http://dx.doi.org/10.1016/j.diin.2006.06.015
[21] Y. Li, S. C. Sundaramurthy, A. G. Bardas, X. Ou, D. Caragea, X. Hu,
enough for complete analysis and a more flexible solution is and J. Jang, “Experimental study of fuzzy hashing in malware clustering
necessary. A longer time frame and consideration of sessions analysis,” in 8th Workshop on Cyber Security Experimentation and
which don’t result in file downloading would also assist Test (CSET 15). Washington, D.C.: USENIX Association, 2015. [On-
line]. Available: https://www.usenix.org/conference/cset15/workshop-
analysis. program/presentation/li

R EFERENCES
[1] B. Krebs. (2016, September) Krebsonsecurity hit with record ddos. [On-
line]. Available: https://krebsonsecurity.com/2016/09/krebsonsecurity-
hit-with-record-ddos/
[2] M. Nawrocki, M. Wählisch, T. C. Schmidt, C. Keil, and
J. Schönfelder, “A survey on honeypot software and data
analysis,” CoRR, vol. abs/1608.06249, 2016. [Online]. Available:
http://arxiv.org/abs/1608.06249
[3] M. Oosterhof. Cowrie. [Online]. Available: github.com/cowrie/cowrie
[4] G. Wicherski, “Medium interaction honeypots,” in German Honeynet
Project, 2006.
[5] D. Fraunholz, D. Krohmer, S. D. Anton, and H. Dieter Schotten,
“Investigation of cyber crime conducted by abusing weak or default
passwords with a medium interaction honeypot,” in 2017 International
Conference on Cyber Security And Protection Of Digital Services (Cyber
Security), June 2017, pp. 1–7.
[6] I. Koniaris, G. Papadimitriou, and P. Nicopolitidis, “Analysis and visu-
alization of ssh attacks using honeypots,” in Eurocon 2013, July 2013,
pp. 65–72.
[7] I. Vakilinia, S. Cheung, and S. Sengupta, “Sharing susceptible passwords
as cyber threat intelligence feed,” in MILCOM 2018-2018 IEEE Military
Communications Conference (MILCOM). IEEE, 2018, pp. 1–6.

View publication stats