IoT malware ecosystem in the wild: A glimpse into analysis and exposures

Jinchun Choi; Jeffrey Spaulding; Afsah Anwar; Dae Hun Nyang; Hisham Alasmary; Aziz Mohaisen

doi:10.1145/3318216.3363379

IoT malware ecosystem in the wild: A glimpse into analysis and exposures

Jinchun Choi, Jeffrey Spaulding, Afsah Anwar, Dae Hun Nyang, Hisham Alasmary, Aziz Mohaisen

Cyber Security

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

9 Scopus citations

Abstract

The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.

Original language	English
Title of host publication	Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019
Publisher	Association for Computing Machinery, Inc
Pages	413-418
Number of pages	6
ISBN (Electronic)	9781450367332
DOIs	https://doi.org/10.1145/3318216.3363379
State	Published - 7 Nov 2019
Event	4th ACM/IEEE Symposium on Edge Computing, SEC 2019 - Arlington, United States Duration: 7 Nov 2019 → 9 Nov 2019

Publication series

Name	Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019

Conference

Conference	4th ACM/IEEE Symposium on Edge Computing, SEC 2019
Country/Territory	United States
City	Arlington
Period	7/11/19 → 9/11/19

Bibliographical note

Funding Information:
This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida.

Publisher Copyright:
© 2019 Association for Computing Machinery.

Keywords

Endpoints
Internet of Things
Malware

Access to Document

10.1145/3318216.3363379

Cite this

Choi, J., Spaulding, J., Anwar, A., Nyang, D. H., Alasmary, H., & Mohaisen, A. (2019). IoT malware ecosystem in the wild: A glimpse into analysis and exposures. In Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019 (pp. 413-418). (Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019). Association for Computing Machinery, Inc. https://doi.org/10.1145/3318216.3363379

@inproceedings{f63f89d91bbb49c18c500da6103444bd,

title = "IoT malware ecosystem in the wild: A glimpse into analysis and exposures",

abstract = "The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.",

keywords = "Endpoints, Internet of Things, Malware",

author = "Jinchun Choi and Jeffrey Spaulding and Afsah Anwar and Nyang, {Dae Hun} and Hisham Alasmary and Aziz Mohaisen",

note = "Funding Information: This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida. Publisher Copyright: {\textcopyright} 2019 Association for Computing Machinery.; 4th ACM/IEEE Symposium on Edge Computing, SEC 2019 ; Conference date: 07-11-2019 Through 09-11-2019",

year = "2019",

month = nov,

day = "7",

doi = "10.1145/3318216.3363379",

language = "English",

series = "Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019",

publisher = "Association for Computing Machinery, Inc",

pages = "413--418",

booktitle = "Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019",

}

Choi, J, Spaulding, J, Anwar, A, Nyang, DH, Alasmary, H & Mohaisen, A 2019, IoT malware ecosystem in the wild: A glimpse into analysis and exposures. in Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019. Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019, Association for Computing Machinery, Inc, pp. 413-418, 4th ACM/IEEE Symposium on Edge Computing, SEC 2019, Arlington, United States, 7/11/19. https://doi.org/10.1145/3318216.3363379

IoT malware ecosystem in the wild: A glimpse into analysis and exposures. / Choi, Jinchun; Spaulding, Jeffrey; Anwar, Afsah et al.
Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019. Association for Computing Machinery, Inc, 2019. p. 413-418 (Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - IoT malware ecosystem in the wild

T2 - 4th ACM/IEEE Symposium on Edge Computing, SEC 2019

AU - Choi, Jinchun

AU - Spaulding, Jeffrey

AU - Anwar, Afsah

AU - Nyang, Dae Hun

AU - Alasmary, Hisham

AU - Mohaisen, Aziz

N1 - Funding Information: This research was supported by Korea National Research Foundation under grant 2016K1A1A2912757 and a collaborative seed research grant from Cyber Florida. Publisher Copyright: © 2019 Association for Computing Machinery.

PY - 2019/11/7

Y1 - 2019/11/7

N2 - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.

AB - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection give adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, and play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (≈78.2% of total active public IPv4 addresses) endpoints.

KW - Endpoints

KW - Internet of Things

KW - Malware

UR - http://www.scopus.com/inward/record.url?scp=85076258254&partnerID=8YFLogxK

U2 - 10.1145/3318216.3363379

DO - 10.1145/3318216.3363379

M3 - Conference contribution

AN - SCOPUS:85076258254

T3 - Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019

SP - 413

EP - 418

BT - Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019

PB - Association for Computing Machinery, Inc

Y2 - 7 November 2019 through 9 November 2019

ER -

Choi J, Spaulding J, Anwar A, Nyang DH, Alasmary H, Mohaisen A. IoT malware ecosystem in the wild: A glimpse into analysis and exposures. In Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019. Association for Computing Machinery, Inc. 2019. p. 413-418. (Proceedings of the 4th ACM/IEEE Symposium on Edge Computing, SEC 2019). doi: 10.1145/3318216.3363379

IoT malware ecosystem in the wild: A glimpse into analysis and exposures

Abstract

Publication series

Conference

Bibliographical note

Keywords

Access to Document

Fingerprint

Cite this