Abstract
As the number of internet users continues to grow, so do the numbers and types of devices people connect to; hence, a larger attack surface. For example, the Qbot and Mirai botnet malware are capable of infecting devices across different chipset architectures, and both malware were reportedly responsible for a number of high profile DDoS attacks in recent times. These two malware families (and many others) generally affect a broad range of consumer grade appliances, and many of these appliances (also referred to as devices) are insecure or not designed with security in mind. While researchers have focused on areas such as attacking the botnet owner’s payment infrastructure, reversing the botnet and using it as a countermeasure in grey-hat counterattack, etc., there are many more questions that have not been addressed. For example, are users putting too much trust in manufacturers and failing to take adequate measures to protect their own networks? Hence, in this paper we investigate two most popular families of Internet of Things (IoT) malware, Mirai and Qbot, to understand how they spread, what attacks they are capable of, who could be responsible, and what are the motivations of the threat actors. We also propose an efficient solution to scan for Mirai- and Qbot-related vulnerabilities in IoT devices and systems. We then study what companies can do to help protect themselves from attacks. Simple steps such as correctly configuring appliances, carrying out risk assessments and creating an action plan are discussed as proactive measures that could be taken to facilitate threat reduction and incident response.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsReferences
Krebs on Security: Cowards Attack Sony PlayStation, Microsoft xBox Networks. http://krebsonsecurity.com/2014/12/cowards-attack-sony-playstation-microsoft-xbox-networks/ (2014). Accessed 27 June 2019
HackRead: The Mirai botnet: what it is, what it has done, and how to find out if you’re part of it. https://www.hackread.com/mirai-botnet-ddos-attacks-brief/ (2016). Accessed 27 June 2019
MalwareTech: Mapping Mirai: a botnet case study. https://www.malwaretech.com/2016/10/mapping-mirai-a-botnet-case-study.html (2016). Accessed 27 June 2019
YouTube: Jihadi x tutorials. https://www.youtube.com/channel/UCXM4xUOmJk3Px2qiG9x1ygg (2017). Accessed 27 June 2019
Goudbeek, A., Choo, K.-K.R., Le-Khac, N.-A.: A forensic investigation framework for smart home environment. In: 17th IEEE International Conference on Trust, Security and Privacy in Computing and Communications (IEEE TrustCom-18), New York, Aug 2018. https://doi.org/10.1109/TrustCom/BigDataSE.2018.00201
Alabdulsalam, S., Schaefer, K., Kechadi, M.-T., Le-Khac, N.-A.: Internet of things forensics: challenges and case study. In: Gilbert, P., Sujeet, S. (eds.) Advances in Digital Forensics XIV. Springer Berlin Heidelberg, New York (2018). https://doi.org/10.1007/978-3-319-99277-8_3
Jerkins, J.A.: Motivating a market or regulatory solution to IoT insecurity with the Mirai botnet code. In: 2017 IEEE 7th Annual Computing and Communication Workshop and Conference (CCWC), Las Vegas, 9–11 Jan 2017
Stress Testing the Booters: Understanding and Undermining the Business of DDoS Services. http://damonmccoy.com/papers/www2016-booter.pdf (2015). Accessed 27 June 2019
Botnet Detection: Honeypots and the Internet of Things. https://msmis.eller.arizona.edu/sites/msmis/files/documents/sfs_papers/ryan_chinn_sfs_masters_paper_0.pdf (2015). Accessed 27 June 2019
CVE: CVE-2014-9222. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9222 (2014). Accessed 27 June 2019
Linke, A., Le-Khac, N.-A.: Control flow change in assembly as a classifier in malware analysis. In: 4th IEEE International Symposium on Digital Forensics and Security, Arkansas, Apr 2016. https://doi.org/10.1109/ISDFS.2016.7473514
Github: Mirai Source Code. https://github.com/jgamblin/Mirai-Source-Code (2016). Accessed 27 June 2019
Malware Must Die: MMD-0056-2016—Linux/Mirai, how an old ELF malcode is recycled. http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html (2016). Accessed 27 June 2019
Splunk: Analyzing the Mirai Botnet with Splunk. https://www.splunk.com/blog/2016/10/07/analyzing-the-mirai-botnet-with-splunk/ (2016). Accessed 27 June 2019
Bijalwan, A., Wazid, M., Pilli, E.S., Joshi, R.C.: Forensics of random-UDP flooding attacks. J. Netw. 10(5), 287 (2015). https://doi.org/10.4304/jnw.10.5.287-293
Hot Hardware: Mirai IoT DDoS Botnet Source Code Reveals Specific Targeting of Valve Source Engine Games on Steam. https://hothardware.com/news/mirai-iot-ddos-botnet-source-code-targets-valve-source-engine#WvZOQVKi252ACL1t.99 (2016). Accessed 27 June 2019
Secure64: Water Torture: A Slow Drip DNS DDoS Attack. https://secure64.com/water-torture-slow-drip-dns-ddos-attack/ (2014). Accessed 27 June 2017
Bogdanoski, M., Shuminoski, T., Risteski, A.: Analysis of the SYN flood DoS attack. J. Comput. Netw. Inf. Secur. 8, 1–11 (2013). https://doi.org/10.5815/ijcnis.2013.08.01
DDOS-GAURD, ACK & Push ACK Flood: https://ddos-guard.net/en/terminology/ack-push-ack-flood. Accessed 27 June 2019
Security Week: What’s the Fix for IoT DDoS Attacks? http://www.securityweek.com/whats-fix-iot-ddos-attacks (2016). Accessed 27 June 2019
F5 Labs: Mirai: The IoT Bot That Took Down Krebs and Launched a TBPS Attack on OVH. https://f5.com/labs/articles/threat-intelligence/ddos/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-attack-on-ovh-22422 (2016). Accessed 27 June 2019
Github: Qbot Source Code. https://github.com/gh0std4ncer/lizkebab/blob/master/server.c (2015). Accessed 27 June 2019
Eduard, K.: BASHLITE Botnets Ensnare 1 Million IoT Devices. Security Week, 31 Aug 2016. http://www.securityweek.com/bashlite-botnets-ensnare-1-million-iot-devices (2016). Accessed 27 June 2019
Malware Must Die: MMD-0052-2016—Overview of “SkidDDoS” ELF++ IRC Botnet. http://blog.malwaremustdie.org/2016/02/mmd-0052-2016-skidddos-elf-distribution.html#gayfgt (2016). Accessed 27 June 2019
Krebs on Security: Lizard Stresser Runs on Hacked Home Routers. https://krebsonsecurity.com/2015/01/lizard-stresser-runs-on-hacked-home-routers/#more-29431 (2015). Accessed 27 June 2019
Le-Khac, N.-A., Jacobs, D., Nijhoff, J., Bertens, K., Choo, K.-K.R.: Smart Vehicle Forensics: Challenges and Case Study. Future Gener. Comput. Syst. (2018). https://doi.org/10.1016/j.future.2018.05.081
Efa: Raspberry Pi Image: Changes Made to Original Diagram Include the Addition of a Flow Chart and a Switch with LCD Screen. https://en.wikipedia.org/wiki/File:RaspberryPi_3B.svg, https://creativecommons.org/licenses/by/3.0/ (2016). Accessed 24 April 2020
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
O’Sullivan, W., Choo, KK.R., Le-Khac, NA. (2020). Defending IoT Devices from Malware. In: Le-Khac, NA., Choo, KK. (eds) Cyber and Digital Forensic Investigations. Studies in Big Data, vol 74. Springer, Cham. https://doi.org/10.1007/978-3-030-47131-6_2
Download citation
DOI: https://doi.org/10.1007/978-3-030-47131-6_2
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-47130-9
Online ISBN: 978-3-030-47131-6
eBook Packages: Intelligent Technologies and RoboticsIntelligent Technologies and Robotics (R0)