Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets

Jinchun Choi; Ahmed Abusnaina; Afsah Anwar; An Wang; Songqing Chen; Dae Hun Nyang; Aziz Mohaisen

doi:10.1109/DSC47296.2019.8937574

Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets

Jinchun Choi, Ahmed Abusnaina, Afsah Anwar, An Wang, Songqing Chen, Dae Hun Nyang, Aziz Mohaisen

Department of Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

6 Scopus citations

Abstract

In this paper, we analyze the Internet of Things (IoT) Linux malware binaries to understand the dependencies among malware. Towards this end, we use static analysis to extract endpoints that malware communicates with, and classify such endpoints into targets and dropzones (equivalent to Command and Control). In total, we extracted 1,457 unique dropzone IP addresses that target 294 unique IP addresses and 1,018 masked target IP addresses. We highlight various characteristics of those dropzones and targets, including spatial, network, and organizational affinities. Towards the analysis of dropzones' interdependencies and dynamics, we identify dropzones chains. Overall, we identify 56 unique chains, which unveil coordination (and possible attacks) among different malware families. Further analysis of chains with higher node counts reveals centralization. We suggest a centrality-based defense and monitoring mechanism to limit the propagation and impact of malware.

Original language	English
Title of host publication	2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings
Publisher	Institute of Electrical and Electronics Engineers Inc.
ISBN (Electronic)	9781728123196
DOIs	https://doi.org/10.1109/DSC47296.2019.8937574
State	Published - Nov 2019
Event	3rd IEEE Conference on Dependable and Secure Computing, DSC 2019 - Hangzhou, China Duration: 18 Nov 2019 → 20 Nov 2019

Publication series

Name	2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings

Conference

Conference	3rd IEEE Conference on Dependable and Secure Computing, DSC 2019
Country/Territory	China
City	Hangzhou
Period	18/11/19 → 20/11/19

Bibliographical note

Funding Information:
In this work, we analyzed IoT malware binaries to understand the dependencies and relationships among malware. We conduct static analysis to extract the addresses communicated to or referred by the malware. Among a large number of endpoints (dropzones and targets) in static malware artifacts, we identified dependencies between dropzones, in which we coin the dropzones chain. We identified 56 unique chains and unveiled interactions among Gafgyt and Mirai families. Further analysis showed the existence of centralization within chains with higher node counts, where a central dropzone communicates with several dropzones in a decentralized fashion. We suggest central dropzone monitoring and removal, in order to understand and limit the impact of the malware. Acknowledgment. This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida.

Publisher Copyright:
© 2019 IEEE.

Keywords

Distributed Denial of Service
Internet of Things
Malware
Static Analysis

Access to Document

10.1109/DSC47296.2019.8937574

Cite this

Choi, J., Abusnaina, A., Anwar, A., Wang, A., Chen, S., Nyang, D. H., & Mohaisen, A. (2019). Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets. In 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings Article 8937574 (2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings). Institute of Electrical and Electronics Engineers Inc.. https://doi.org/10.1109/DSC47296.2019.8937574

Choi, Jinchun ; Abusnaina, Ahmed ; Anwar, Afsah et al. / Honor among Thieves : Towards Understanding the Dynamics and Interdependencies in IoT Botnets. 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. (2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings).

@inproceedings{95b0613374e4494593a3c01e633fc732,

title = "Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets",

abstract = "In this paper, we analyze the Internet of Things (IoT) Linux malware binaries to understand the dependencies among malware. Towards this end, we use static analysis to extract endpoints that malware communicates with, and classify such endpoints into targets and dropzones (equivalent to Command and Control). In total, we extracted 1,457 unique dropzone IP addresses that target 294 unique IP addresses and 1,018 masked target IP addresses. We highlight various characteristics of those dropzones and targets, including spatial, network, and organizational affinities. Towards the analysis of dropzones' interdependencies and dynamics, we identify dropzones chains. Overall, we identify 56 unique chains, which unveil coordination (and possible attacks) among different malware families. Further analysis of chains with higher node counts reveals centralization. We suggest a centrality-based defense and monitoring mechanism to limit the propagation and impact of malware.",

keywords = "Distributed Denial of Service, Internet of Things, Malware, Static Analysis",

author = "Jinchun Choi and Ahmed Abusnaina and Afsah Anwar and An Wang and Songqing Chen and Nyang, {Dae Hun} and Aziz Mohaisen",

note = "Funding Information: In this work, we analyzed IoT malware binaries to understand the dependencies and relationships among malware. We conduct static analysis to extract the addresses communicated to or referred by the malware. Among a large number of endpoints (dropzones and targets) in static malware artifacts, we identified dependencies between dropzones, in which we coin the dropzones chain. We identified 56 unique chains and unveiled interactions among Gafgyt and Mirai families. Further analysis showed the existence of centralization within chains with higher node counts, where a central dropzone communicates with several dropzones in a decentralized fashion. We suggest central dropzone monitoring and removal, in order to understand and limit the impact of the malware. Acknowledgment. This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida. Publisher Copyright: {\textcopyright} 2019 IEEE.; 3rd IEEE Conference on Dependable and Secure Computing, DSC 2019 ; Conference date: 18-11-2019 Through 20-11-2019",

year = "2019",

month = nov,

doi = "10.1109/DSC47296.2019.8937574",

language = "English",

series = "2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings",

publisher = "Institute of Electrical and Electronics Engineers Inc.",

booktitle = "2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings",

}

Choi, J, Abusnaina, A, Anwar, A, Wang, A, Chen, S, Nyang, DH & Mohaisen, A 2019, Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets. in 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings., 8937574, 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings, Institute of Electrical and Electronics Engineers Inc., 3rd IEEE Conference on Dependable and Secure Computing, DSC 2019, Hangzhou, China, 18/11/19. https://doi.org/10.1109/DSC47296.2019.8937574

Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets. / Choi, Jinchun; Abusnaina, Ahmed; Anwar, Afsah et al.
2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc., 2019. 8937574 (2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - Honor among Thieves

T2 - 3rd IEEE Conference on Dependable and Secure Computing, DSC 2019

AU - Choi, Jinchun

AU - Abusnaina, Ahmed

AU - Anwar, Afsah

AU - Wang, An

AU - Chen, Songqing

AU - Nyang, Dae Hun

AU - Mohaisen, Aziz

N1 - Funding Information: In this work, we analyzed IoT malware binaries to understand the dependencies and relationships among malware. We conduct static analysis to extract the addresses communicated to or referred by the malware. Among a large number of endpoints (dropzones and targets) in static malware artifacts, we identified dependencies between dropzones, in which we coin the dropzones chain. We identified 56 unique chains and unveiled interactions among Gafgyt and Mirai families. Further analysis showed the existence of centralization within chains with higher node counts, where a central dropzone communicates with several dropzones in a decentralized fashion. We suggest central dropzone monitoring and removal, in order to understand and limit the impact of the malware. Acknowledgment. This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida. Publisher Copyright: © 2019 IEEE.

PY - 2019/11

Y1 - 2019/11

N2 - In this paper, we analyze the Internet of Things (IoT) Linux malware binaries to understand the dependencies among malware. Towards this end, we use static analysis to extract endpoints that malware communicates with, and classify such endpoints into targets and dropzones (equivalent to Command and Control). In total, we extracted 1,457 unique dropzone IP addresses that target 294 unique IP addresses and 1,018 masked target IP addresses. We highlight various characteristics of those dropzones and targets, including spatial, network, and organizational affinities. Towards the analysis of dropzones' interdependencies and dynamics, we identify dropzones chains. Overall, we identify 56 unique chains, which unveil coordination (and possible attacks) among different malware families. Further analysis of chains with higher node counts reveals centralization. We suggest a centrality-based defense and monitoring mechanism to limit the propagation and impact of malware.

AB - In this paper, we analyze the Internet of Things (IoT) Linux malware binaries to understand the dependencies among malware. Towards this end, we use static analysis to extract endpoints that malware communicates with, and classify such endpoints into targets and dropzones (equivalent to Command and Control). In total, we extracted 1,457 unique dropzone IP addresses that target 294 unique IP addresses and 1,018 masked target IP addresses. We highlight various characteristics of those dropzones and targets, including spatial, network, and organizational affinities. Towards the analysis of dropzones' interdependencies and dynamics, we identify dropzones chains. Overall, we identify 56 unique chains, which unveil coordination (and possible attacks) among different malware families. Further analysis of chains with higher node counts reveals centralization. We suggest a centrality-based defense and monitoring mechanism to limit the propagation and impact of malware.

KW - Distributed Denial of Service

KW - Internet of Things

KW - Malware

KW - Static Analysis

UR - http://www.scopus.com/inward/record.url?scp=85077976137&partnerID=8YFLogxK

U2 - 10.1109/DSC47296.2019.8937574

DO - 10.1109/DSC47296.2019.8937574

M3 - Conference contribution

AN - SCOPUS:85077976137

T3 - 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings

BT - 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings

PB - Institute of Electrical and Electronics Engineers Inc.

Y2 - 18 November 2019 through 20 November 2019

ER -

Choi J, Abusnaina A, Anwar A, Wang A, Chen S, Nyang DH et al. Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets. In 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings. Institute of Electrical and Electronics Engineers Inc. 2019. 8937574. (2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings). doi: 10.1109/DSC47296.2019.8937574

Honor among Thieves: Towards Understanding the Dynamics and Interdependencies in IoT Botnets

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this