Abstract
In this paper, we analyze the Internet of Things (IoT) Linux malware binaries to understand the dependencies among malware. Towards this end, we use static analysis to extract endpoints that malware communicates with, and classify such endpoints into targets and dropzones (equivalent to Command and Control). In total, we extracted 1,457 unique dropzone IP addresses that target 294 unique IP addresses and 1,018 masked target IP addresses. We highlight various characteristics of those dropzones and targets, including spatial, network, and organizational affinities. Towards the analysis of dropzones' interdependencies and dynamics, we identify dropzones chains. Overall, we identify 56 unique chains, which unveil coordination (and possible attacks) among different malware families. Further analysis of chains with higher node counts reveals centralization. We suggest a centrality-based defense and monitoring mechanism to limit the propagation and impact of malware.
Original language | English |
---|---|
Title of host publication | 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings |
Publisher | Institute of Electrical and Electronics Engineers Inc. |
ISBN (Electronic) | 9781728123196 |
DOIs | |
State | Published - Nov 2019 |
Event | 3rd IEEE Conference on Dependable and Secure Computing, DSC 2019 - Hangzhou, China Duration: 18 Nov 2019 → 20 Nov 2019 |
Publication series
Name | 2019 IEEE Conference on Dependable and Secure Computing, DSC 2019 - Proceedings |
---|
Conference
Conference | 3rd IEEE Conference on Dependable and Secure Computing, DSC 2019 |
---|---|
Country/Territory | China |
City | Hangzhou |
Period | 18/11/19 → 20/11/19 |
Bibliographical note
Funding Information:In this work, we analyzed IoT malware binaries to understand the dependencies and relationships among malware. We conduct static analysis to extract the addresses communicated to or referred by the malware. Among a large number of endpoints (dropzones and targets) in static malware artifacts, we identified dependencies between dropzones, in which we coin the dropzones chain. We identified 56 unique chains and unveiled interactions among Gafgyt and Mirai families. Further analysis showed the existence of centralization within chains with higher node counts, where a central dropzone communicates with several dropzones in a decentralized fashion. We suggest central dropzone monitoring and removal, in order to understand and limit the impact of the malware. Acknowledgment. This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida.
Publisher Copyright:
© 2019 IEEE.
Keywords
- Distributed Denial of Service
- Internet of Things
- Malware
- Static Analysis