Presented by Shashank Shekhar Sahoo Cleaning Up the Internet of Evil Things: Real-World Evidence on ISP and Consumer Efforts to Remove Mirai Presented by Shashank Shekhar Sahoo

Introduction

Background Knowledge Botnet - A network of internet connected devices, where each device is running one or more bots. - Can be used for sending spam emails, keylogging activities, and even performing Distributed Denial of Service attacks. Mirai - First surfaced in 2016, it is an IoT malware that infects smart devices. - Allows the attacker to control the devices remotely and launch DDoS attacks which can go upto 620 Gbps, or even more.

Background Knowledge Recent rise in IoT devices and consequently, IoT Botnets attacks. Majority of the world’s population have little or no information on malwares. Millions of IoT devices are being compromised. Low security of the devices.

Motivation How to remediate the population of vulnerable and compromised IoT devices effectively? To understand the impact of notifications on the remediation process.

Problem Problem: There is no clear and simple remediation path. There are three underlying problems: There is no public information to identify the owner. There is no established channel to reach the owner. Even if they are reachable, then how to provide them with an actionable notification.

Solution

Experiment Where do these Mirai infected devices reside? - 87% of Mirai infected devices IoT devices reside in broadband ISP consumer networks. - Less than 1% reside in other types of networks such as education, hosting or governmental networks. Since majority of the devices lie inside the broadband ISP networks, the ISPs can play a major role in the remediation of the IoT botnets.

Experiment Divided the experiment into two stages:

Notification Methods Walled Garden Notification - Infected users are kept in Quarantine. - Redirected to a landing page whenever user browses the web. - Landing page contains instructions on how to clean the device. - Difficult to ignore. An email is sent as well. Two versions: 1. Standard Walled Garden Notification (Observational Study) 2. Improved Walled Garden Notification (Randomized Control Study)

Notification Methods Control Group - No notifications were sent. Email Notification - Commonly used by ISPs. - Cheap and easy to scale. - Major drawbacks: - No assurance that the user has read it or not. - A different email might be associated with the ISP. - Email might be classified as spam.

Identifying and Tracking Infections Identifying Infected Machines - Shadowserver Abuse feeds Tracking Infected Machines - Darknet - IoT Honeypot Device Information - NMAP Scanner - Censys Scan

Results Impact of Notification Mechanism - Control group had the lowest cleanup rate of 74%. - Email only had a cleanup rate of 77%. - Improved Walled Garden remediated about 92%. Impact of Notification Content - Improved Walled Garden had a higher clean up rate (92%) as compared to Standard Walled Garden (88%). - Improved Walled Garden had a shorter median infection time as well.

Results Natural Remediation - High remediation rate (74%) even though they were not notified. - Surprising! - Decided to observe remediation rates of: - Two other networks (Business and Subsidiary). - Four random ISPs in the country. - Observed high natural remediation rates as well! - Along with high remediation rate, there was low reinfection rate (5%) as well.

Results Impact of Device Type - Censys and NMAP were used to identify the type of devices. - Couldn’t identify all the devices. Only 28% of them were identified. - Analyzed banner information and identified: - Routers - Cameras - Storage Units - DVRs - Set Top Box

Results Impact of Device Type - Routers cleaned up faster than cameras and DVRs.

User Experience Themes of User Experience in Communication with ISP - Improved Walled Garden - Significantly reduced the number of calls. - Less requests for technician. - Less complaints.

Criticism

Criticism Their research was based on a specific malware, i.e. Mirai. - Non persistent in nature. - There are persistent malwares as well. - Drawback: - Different types of malwares may have different effect on remediation rates. - Possible Solution: - Conduct a study with a mix of persistent and non-persistent malwares.

Criticism No explanation for low reinfection rates in the Control Group. - Mere rebooting of device doesn’t protect against reinfection. - Mirai has an aggressive scanning behaviour. - Devices still vulnerable to Mirai when once they are back online. - Drawback: - Didn’t conduct phone interviews with those customers. - Possible Solution: - Should have conducted interviews with them as well and find the underlying reason for low reinfection rate.

Criticism Results based on a very small sample of customers in one country. - Considered only 220 customers for their experiment. - Drawback: - On a larger scale, such as customers from multiple countries, the results may vary drastically. - Possible Solution: - Could consider a larger sample of customers belonging to different countries.

Criticism Results in Improved Walled Garden may be biased. - Customers may have already heard about this in the news or in the internet articles. - Helped them to clean it. - Drawback: - Studies conducted in two different time periods. - Possible Solution: - Conduct the studies in the same time period to avoid this.

Thank you!