TY - JOUR
T1 - Understanding Internet of Things malware by analyzing endpoints in their static artifacts
AU - Choi, Jinchun
AU - Anwar, Afsah
AU - Alabduljabbar, Abdulrahman
AU - Alasmary, Hisham
AU - Spaulding, Jeffrey
AU - Wang, An
AU - Chen, Songqing
AU - Nyang, Dae Hun
AU - Awad, Amro
AU - Mohaisen, David
N1 - Publisher Copyright:
© 2022
PY - 2022/4/7
Y1 - 2022/4/7
N2 - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection gives adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, that play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. Our results, through analysis and visualization expose clear patterns of affinity between sources and targets of attacks, attack exposure by Internet infrastructure, and clear depiction of the ecosystem of IoT malware as a whole, only utilizing static artifacts. Our investigation from four different perspectives provides profound insights into the role of endpoints in IoT malware attacks, which deepens our understanding of IoT malware ecosystems and can assist future defenses.
AB - The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection gives adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, that play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. Our results, through analysis and visualization expose clear patterns of affinity between sources and targets of attacks, attack exposure by Internet infrastructure, and clear depiction of the ecosystem of IoT malware as a whole, only utilizing static artifacts. Our investigation from four different perspectives provides profound insights into the role of endpoints in IoT malware attacks, which deepens our understanding of IoT malware ecosystems and can assist future defenses.
KW - Endpoints
KW - Internet of Things
KW - Malware
UR - http://www.scopus.com/inward/record.url?scp=85124103120&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2022.108768
DO - 10.1016/j.comnet.2022.108768
M3 - Article
AN - SCOPUS:85124103120
SN - 1389-1286
VL - 206
JO - Computer Networks
JF - Computer Networks
M1 - 108768
ER -