TY - GEN
T1 - IoT malware ecosystem in the wild
AU - Choi, Jinchun
AU - Spaulding, Jeffrey
AU - Anwar, Afsah
AU - Nyang, Dae Hun
AU - Alasmary, Hisham
AU - Mohaisen, Aziz
N1 - Funding Information:
This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida.
Publisher Copyright:
© 2019 Association for Computing Machinery.
PY - 2019/11/7
Y1 - 2019/11/7
N2 - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.
AB - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.
KW - Endpoints
KW - Internet of Things
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=85076258254&partnerID=8YFLogxK
U2 - 10.1145/3318216.3363379
DO - 10.1145/3318216.3363379
M3 - Conference contribution
AN - SCOPUS:85076258254
T3 - Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019
SP - 413
EP - 418
BT - Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019
PB - Association for Computing Machinery, Inc
Y2 - 7 November 2019 through 9 November 2019
ER -