Abstract
As malware poses a significant threat to IoT devices, the technology to combat IoT malware, like sandbox, has not received enough attention. The majority of efforts in existing researches have focused on x86-flavored binaries that are not used for IoT devices. In fact, we have witnessed that many samples of IoT malware that can be observed in the wild are ARM binaries. In this paper, we propose a novel sandbox that is helpful to analyze and understand the IoT malware behavior. Our sandbox system, called Tamer, supports dynamic analysis for ARM binaries and has some features to automate and facilitate IoT malware analysis, like the automated interaction mechanism and the fake network environment for dynamic analysis. In addition, our system adopts features, like dynamic binary instrumentation and virtual machine introspection, which may allow retrieving further insights from malware. With the dataset of real-world malware, we demonstrated that our sandbox system can analyze IoT malware that is specifically designed for infecting IoT devices. Through an analysis experiment on a large number of IoT malware samples, we demonstrate a possibility that our system could facilitate a large scale analysis in an automated manner and retrieve further insights from IoT malware. Furthermore, we demonstrate that the information on IoT malware behavior using Tamer is helpful in understanding the details of IoT malware behavior from the data analysis perspective.
Similar content being viewed by others
Notes
MD5: ca92a3b74a65ce06035fcc280740daf6.
Strace: linux syscall tracer. https://strace.io
MD5:1497740fa8920e4af6aa981a5b405937.
Top—Linux manual page. https://man7.org/linux/man-pages/man1/top.1.html
References
Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding linux malware. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018). IEEE
Cozzi, E., Vervier, P.-A., Dell’Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of iot malware. In: Annual Computer Security Applications Conference, pp. 1–16 (2020)
Carrillo-Mondéjar, J., Martínez, J., Suarez-Tangil, G.: Characterizing linux-based malware: Findings and recent trends. Futur. Gener. Comput. Syst. 110, 267–281 (2020)
Cuckoo: Automated Malware Analysis. https://www.cuckoosandbox.org/ (2013)
Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Privacy 5(2), 32–39 (2007)
Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)
Monnappa, K.: Automating linux malware analysis using limon sandbox. Black Hat Europe 2015 (2015)
VirusShare: “VirusShare”. https://virusshare.com/ (2020)
inetsim: “INetSim: Internet Services Simulation Suite”. https://www.inetsim.org/ (2020)
Debian.org: “Debian Squeeze and Wheezy armel images for QEMU”. https://people.debian.org/~aurel32/qemu/armel/ (2014)
Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, p. 4 (2015). ACM
LinuxFoundation: “networking:bridge [Wiki]”. https://wiki.linuxfoundation.org/networking/bridge (2020)
Michel Oosterhof: “Cowrie SSH/Telnet Honeypot”. https://github.com/cowrie/cowrie (2014)
FortiGuard: Reaper: The Next Evolution of IoT Botnets. https://www.fortinet.com/blog/threat-research/reaper-the-next-evolution-of-iot-botnets (2017)
Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 309–320 (2011)
Kouliaridis, V., Kambourakis, G., Peng, T.: Feature importance in android malware detection. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1449–1454 (2020). IEEE
Unit42, P.A.N.: New IoT/Linux Malware Targets DVRs, Forms Botnet. https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ (2017)
Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: IEEE Symposium On Security and Privacy (SP), 2010, pp. 317–331 (2010). IEEE
Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: Iotpot: A novel honeypot for revealing current IoT threats. J. Inf. Process. 24(3), 522–533 (2016)
Le, H.-V., Ngo, Q.-D.: V-sandbox for dynamic analysis IoT botnet. IEEE Access 8, 145768–145786 (2020)
Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, pp. 1–21 (2017)
eBPF: “eBPF - Introduction, Tutorials & Community Resources”. https://ebpf.io/ (2020)
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D., et al.: Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS, vol. 23, pp. 1–16 (2014)
Muench, M., Nisi, D., Francillon, A., Balzarotti, D.: Avatar2: A multi-target orchestration platform. In: Proc. Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, pp. 1–11 (2018)
Xie, C., Guo, Y., Shi, S., Sheng, Y., Chen, X., Li, C., Wen, W.: Envfaker: A method to reinforce linux sandbox based on tracer, filter and emulator against environmental-sensitive malware. In: 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 667–677 (2021). IEEE
Raju, A.D., Abualhaol, I.Y., Giagone, R.S., Zhou, Y., Huang, S.: A survey on cross-architectural IoT malware threat hunting. IEEE Access 9, 91686–91709 (2021)
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.
About this article
Cite this article
Yonamine, S., Taenaka, Y., Kadobayashi, Y. et al. Design and implementation of a sandbox for facilitating and automating IoT malware analysis with techniques to elicit malicious behavior: case studies of functionalities for dissecting IoT malware. J Comput Virol Hack Tech 19, 149–163 (2023). https://doi.org/10.1007/s11416-023-00478-x
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-023-00478-x