Skip to main content
SpringerLink
Log in

Design and implementation of a sandbox for facilitating and automating IoT malware analysis with techniques to elicit malicious behavior: case studies of functionalities for dissecting IoT malware

  • Invited Paper
  • Published:
Journal of Computer Virology and Hacking Techniques Aims and scope Submit manuscript

Abstract

As malware poses a significant threat to IoT devices, the technology to combat IoT malware, like sandbox, has not received enough attention. The majority of efforts in existing researches have focused on x86-flavored binaries that are not used for IoT devices. In fact, we have witnessed that many samples of IoT malware that can be observed in the wild are ARM binaries. In this paper, we propose a novel sandbox that is helpful to analyze and understand the IoT malware behavior. Our sandbox system, called Tamer, supports dynamic analysis for ARM binaries and has some features to automate and facilitate IoT malware analysis, like the automated interaction mechanism and the fake network environment for dynamic analysis. In addition, our system adopts features, like dynamic binary instrumentation and virtual machine introspection, which may allow retrieving further insights from malware. With the dataset of real-world malware, we demonstrated that our sandbox system can analyze IoT malware that is specifically designed for infecting IoT devices. Through an analysis experiment on a large number of IoT malware samples, we demonstrate a possibility that our system could facilitate a large scale analysis in an automated manner and retrieve further insights from IoT malware. Furthermore, we demonstrate that the information on IoT malware behavior using Tamer is helpful in understanding the details of IoT malware behavior from the data analysis perspective.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Notes

  1. https://linux.die.net/man/1/expect

  2. https://github.com/shun-yo/Tamer

  3. https://en.wikibooks.org/wiki/QEMU/Monitor

  4. MD5: ca92a3b74a65ce06035fcc280740daf6.

  5. Strace: linux syscall tracer. https://strace.io

  6. MD5:1497740fa8920e4af6aa981a5b405937.

  7. Top—Linux manual page. https://man7.org/linux/man-pages/man1/top.1.html

References

  1. Cozzi, E., Graziano, M., Fratantonio, Y., Balzarotti, D.: Understanding linux malware. In: 2018 IEEE Symposium on Security and Privacy (SP), pp. 161–175 (2018). IEEE

  2. Cozzi, E., Vervier, P.-A., Dell’Amico, M., Shen, Y., Bilge, L., Balzarotti, D.: The tangled genealogy of iot malware. In: Annual Computer Security Applications Conference, pp. 1–16 (2020)

  3. Carrillo-Mondéjar, J., Martínez, J., Suarez-Tangil, G.: Characterizing linux-based malware: Findings and recent trends. Futur. Gener. Comput. Syst. 110, 267–281 (2020)

    Article  Google Scholar 

  4. Cuckoo: Automated Malware Analysis. https://www.cuckoosandbox.org/ (2013)

  5. Willems, C., Holz, T., Freiling, F.: Toward automated dynamic malware analysis using cwsandbox. IEEE Secur. Privacy 5(2), 32–39 (2007)

    Article  Google Scholar 

  6. Bayer, U., Moser, A., Kruegel, C., Kirda, E.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)

    Article  Google Scholar 

  7. Monnappa, K.: Automating linux malware analysis using limon sandbox. Black Hat Europe 2015 (2015)

  8. VirusShare: “VirusShare”. https://virusshare.com/ (2020)

  9. inetsim: “INetSim: Internet Services Simulation Suite”. https://www.inetsim.org/ (2020)

  10. Debian.org: “Debian Squeeze and Wheezy armel images for QEMU”. https://people.debian.org/~aurel32/qemu/armel/ (2014)

  11. Dolan-Gavitt, B., Hodosh, J., Hulin, P., Leek, T., Whelan, R.: Repeatable reverse engineering with panda. In: Proceedings of the 5th Program Protection and Reverse Engineering Workshop, p. 4 (2015). ACM

  12. LinuxFoundation: “networking:bridge [Wiki]”. https://wiki.linuxfoundation.org/networking/bridge (2020)

  13. Michel Oosterhof: “Cowrie SSH/Telnet Honeypot”. https://github.com/cowrie/cowrie (2014)

  14. FortiGuard: Reaper: The Next Evolution of IoT Botnets. https://www.fortinet.com/blog/threat-research/reaper-the-next-evolution-of-iot-botnets (2017)

  15. Jang, J., Brumley, D., Venkataraman, S.: Bitshred: feature hashing malware for scalable triage and semantic analysis. In: Proceedings of the 18th ACM Conference on Computer and Communications Security, pp. 309–320 (2011)

  16. Kouliaridis, V., Kambourakis, G., Peng, T.: Feature importance in android malware detection. In: 2020 IEEE 19th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 1449–1454 (2020). IEEE

  17. Unit42, P.A.N.: New IoT/Linux Malware Targets DVRs, Forms Botnet. https://unit42.paloaltonetworks.com/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/ (2017)

  18. Schwartz, E.J., Avgerinos, T., Brumley, D.: All you ever wanted to know about dynamic taint analysis and forward symbolic execution (but might have been afraid to ask). In: IEEE Symposium On Security and Privacy (SP), 2010, pp. 317–331 (2010). IEEE

  19. Pa, Y.M.P., Suzuki, S., Yoshioka, K., Matsumoto, T., Kasama, T., Rossow, C.: Iotpot: A novel honeypot for revealing current IoT threats. J. Inf. Process. 24(3), 522–533 (2016)

    Google Scholar 

  20. Le, H.-V., Ngo, Q.-D.: V-sandbox for dynamic analysis IoT botnet. IEEE Access 8, 145768–145786 (2020)

    Article  Google Scholar 

  21. Bulazel, A., Yener, B.: A survey on automated dynamic malware analysis evasion and counter-evasion: Pc, mobile, and web. In: Proceedings of the 1st Reversing and Offensive-oriented Trends Symposium, pp. 1–21 (2017)

  22. eBPF: “eBPF - Introduction, Tutorials & Community Resources”. https://ebpf.io/ (2020)

  23. Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D., et al.: Avatar: A framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS, vol. 23, pp. 1–16 (2014)

  24. Muench, M., Nisi, D., Francillon, A., Balzarotti, D.: Avatar2: A multi-target orchestration platform. In: Proc. Workshop Binary Anal. Res.(Colocated NDSS Symp.), vol. 18, pp. 1–11 (2018)

  25. Xie, C., Guo, Y., Shi, S., Sheng, Y., Chen, X., Li, C., Wen, W.: Envfaker: A method to reinforce linux sandbox based on tracer, filter and emulator against environmental-sensitive malware. In: 2021 IEEE 20th International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom), pp. 667–677 (2021). IEEE

  26. Raju, A.D., Abualhaol, I.Y., Giagone, R.S., Zhou, Y., Huang, S.: A survey on cross-architectural IoT malware threat hunting. IEEE Access 9, 91686–91709 (2021)

    Article  Google Scholar 

Download references

Author information

Author notes

  1. Yuzo Taenaka, Youki Kadobayashi and Daisuke Miyamoto have contributed equally to this work.

Authors and Affiliations

  1. Division of Information Science, Graduate School of Science and Technology, Nara Institute of Science and Technology, 8916-5 Takayama, Ikoma, Nara, 630-0192, Japan

    Shun Yonamine, Yuzo Taenaka & Youki Kadobayashi

  2. Graduate School of Information Science and Technology, The University of Tokyo, 2-11-16 Yayoi, Bunkyo, Tokyo, 113-8658, Japan

    Daisuke Miyamoto

Authors
  1. Shun Yonamine
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Yuzo Taenaka
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Youki Kadobayashi
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Daisuke Miyamoto
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Shun Yonamine.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Yonamine, S., Taenaka, Y., Kadobayashi, Y. et al. Design and implementation of a sandbox for facilitating and automating IoT malware analysis with techniques to elicit malicious behavior: case studies of functionalities for dissecting IoT malware. J Comput Virol Hack Tech 19, 149–163 (2023). https://doi.org/10.1007/s11416-023-00478-x

Download citation

  • Received:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-023-00478-x

Keywords

Search

Navigation