A Longitudinal Measurement and Analysis of Pink, a Hybrid P2P IoT Botnet

With the ubiquitous deployment of Internet of Things (IoT) devices in many fields, more and more IoT botnets have taken a variety of penetration methods to infect vulnerable IoT devices. Nowadays, a substantial Peer-to-Peer (P2P) IoT botnet named Pink has infected over 1.6 million IoT devices since January 2020, and its impact once exceeded other notorious IoT botnets, such as Mirai, Hajime, Mozi, and so on. Pink is the first IoT botnet using a hybrid topology with centralized and decentralized network architectures. Its two distinct features can be summarized as follows. (i) Different from the conventional P2P IoT botnet based on the public Distributed Hash Table (DHT) service, Pink introduces a novel mechanism called B-segment to build a P2P network, which makes it challenging to track the entire botnet. (ii) Pink is the first IoT botnet to leverage third-party services to propagate configuration files, thereby increasing its resilience. In this paper, we propose an active detection method to measure and understand the development and changes of the Pink botnet continuously. Through daily and continuous measuring of the Pink botnet since January 2022, we firstly provide a comprehensive view of its inapparent network, including bot sizes, global geographic distribution, daily activity, configuration analysis, and Pink botnet countermeasures. We believe that our measurement result is infinitely close to the boundary of the Pink network. Through this study, we reveal that deeper penetration attacks are occurring in the IoT field, and there is an urgent need to improve the security protection of IoT devices. Meanwhile, we hope that this study can promote future research on IoT botnets.