Identifying and Characterizing Bashlite and Mirai C&C Servers

IoT devices are often a vector for assembling massive botnets, as a consequence of being broadly available, having limited security protections, and significant challenges in deploying software upgrades. Such botnets are usually controlled by centralized Command-and-Control (C&C) servers, which need to be identified and taken down to mitigate threats. In this paper we propose a framework to infer C&C server IP addresses using four heuristics. Our heuristics employ static and dynamic analysis to automatically extract information from malware binaries. We use active measurements to validate inferences, and demonstrate the efficacy of our framework by identifying and characterizing C&C servers for 62% of 1050 malware binaries collected using 47 honeypots.