research-article

Open access

MalNet: a binary-centric network-level profiling of IoT malware

Authors:

Michalis FaloutsosAuthors Info & Claims

IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

Pages 472 - 487

https://doi.org/10.1145/3517745.3561463

Published: 25 October 2022 Publication History

Abstract

Where are the IoT C2 servers located? What vulnerabilities does IoT malware try to exploit? What DDoS attacks are launched in practice? In this work, we conduct a large scale study to answer these questions. Specifically, we collect and dynamically analyze 1447 malware binaries on the day that they become publicly known between March 2021 and March 2022 from VirusTotal and MalwareBazaar. By doing this, we are able to observe and profile their behavior at the network level including: (a) C2 communication, (b) proliferation, and (c) issued DDoS attacks. Our comprehensive study provides the following key observations. First, we quantify the elusive behavior of C2 servers: 91% of the time a server does not respond to a second probe four hours after a successful probe. In addition, we find that 15% of the live servers that we find are not known by threat intelligence feeds available on VirusTotal. Second, we find that the IoT malware relies on fairly old vulnerabilities in its proliferation. Our binaries attempt to exploit 12 different vulnerabilities with 9 of them more than 4 years old, while the most recent one was 5 months old. Third, we observe the launch of 42 DDoS attacks that span 8 types of attacks, with two types of attacks targeting gaming servers. The promising results indicate the significant value of using a dynamic analysis approach that includes active measurements and probing towards detecting and containing IoT botnets.

Supplementary Material

M4V File (449.m4v)

Presentation video

Download
44.19 MB

References

[1]

[n. d.]. VirusTotal. https://www.virustotal.com.

[2]

Hungenberg, Thomas and Eckert, Matthias. 2022. Internet Services Simulation Suite. https://www.inetsim.org.

[3]

abuse.ch. [n. d.]. About MalwareBazaar. https://bazaar.abuse.ch/about/.

[4]

Abuse.ch. [n. d.]. MalwareBazaar. https://bazaar.abuse.ch/.

[5]

Forbes Advisor. [n. d.]. Best Dedicated Hosting Services Of 2022. https://www.forbes.com/advisor/business/software/best-dedicated-server-hosting.

[6]

Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Jakob Bleier, Katsunari Yoshioka, Martina Lindorfer, Michel van Eeten, and Carlos H Gañán. 2022. No Spring Chicken: Quantifying the Lifespan of Exploits in IoT Malware Using Static and Dynamic Analysis. (2022).

[7]

Manos Antonakakis, Tim April, Michael Bailey, Matt Bernhard, Elie Bursztein, Jaime Cochran, Zakir Durumeric, J Alex Halderman, Luca Invernizzi, Michalis Kallitsis, et al. 2017. Understanding the Mirai Botnet. In Proceedings of the USENIX Security Symposium.

[8]

Big Data Cloud API. [n. d.]. Autonomous Systems (AS) advertised IPv4 space rank. https://www.bigdatacloud.com/insights/as-rank.

[9]

Fabrice Bellard. 2005. QEMU, A Fast and Portable Dynamic Translator. In Proceedings of the USENIX Annual Technical Conference (ATC, FREENIX Track).

[10]

Xander Bouwman, Harm Griffioen, Jelle Egbers, Christian Doerr, Bram Klievink, and Michel van Eeten. 2020. A different cup of TI? The added value of commercial threat intelligence. In Proceedings of the USENIX Security Symposium. https://www.usenix.org/conference/usenixsecurity20/presentation/bouwman

[11]

Daming D Chen, Maverick Woo, David Brumley, and Manuel Egele. 2016. Towards Automated Dynamic Analysis for Linux-based Embedded Firmware. In NDSS.

[12]

Andrei Costin, Jonas Zaddach, Aurélien Francillon, Davide Balzarotti, and Sophia Antipolis. 2014. A Large-Scale Analysis of the Security of Embedded Firmwares. In USENIX Security Symposium. 95--110.

Digital Library

[13]

Emanuele Cozzi, Mariano Graziano, Yanick Fratantonio, and Davide Balzarotti. 2018. Understanding Linux Malware. In Proceedings of the IEEE Symposium on Security and Privacy (S&P).

[14]

Emanuele Cozzi, Pierre-Antoine Vervier, Matteo Dell'Amico, Yun Shen, Leyla Bilge, and Davide Balzarotti. 2020. The Tangled Genealogy of IoT Malware. In Proceedings of the Annual Computer Security Applications Conference (ACSACC).

Digital Library

[15]

Crowdstrike. [n. d.]. Linux-Targeted Malware Increases by 35% in 2021: XorDDoS, Mirai and Mozi Most Prevalent. https://www.crowdstrike.com/blog/linux-targeted-malware-increased-by-35-percent-in-2021/.

[16]

Ahmad Darki and Michalis Faloutsos. 2020. RIoTMAN: a systematic analysis of IoT malware behavior. In Proceedings of International Conference on emerging Networking EXperiments and Technologies (CoNEXT).

Digital Library

[17]

Ali Davanian, Ahmad Darki, and Michalis Faloutsos. 2021. CnCHunter: An MITM-Approach to Identify Live CnC Servers. Black Hat USA (2021).

[18]

Jonathan Fuller, Ranjita Pai Kasturi, Amit Sikder, Haichuan Xu, Berat Arik, Vivek Verma, Ehsan Asdar, and Brendan Saltaformaggio. 2021. C3PO: Large-Scale Study Of Covert Monitoring of C&C Servers via Over-Permissioned Protocol Infiltration. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[19]

Harm Griffioen and Christian Doerr. 2020. Examining Mirai's Battle over the Internet of Things. In Proceedings of the ACM SIGSAC Conference on Computer and Communications Security (CCS).

Digital Library

[20]

Huy Hang, X. Wei, M. Faloutsos, and Tina Eliassi-Rad. 2013. Entelecheia: Detecting P2P Botnets in their Waiting Stage. In IFIP Networking.

[21]

Stephen Herwig, Katura Harvey, George Hughey, Richard Roberts, and Dave Levin. 2019. Measurement and analysis of Hajime, a peer-to-peer IoT botnet. In Proceedings of the Network and Distributed Systems Security Symposium (NDSS).

[22]

Heqing Huang, Cong Zheng, Junyuan Zeng, Wu Zhou, Sencun Zhu, Peng Liu, Suresh Chari, and Ce Zhang. 2016. Android malware development on public malware scanning platforms: A large-scale data-driven study. In 2016 IEEE International Conference on Big Data (Big Data). IEEE, 1090--1099.

[23]

Seiya Kato, Rui Tanabe, Katsunari Yoshioka, and Tsutomu Matsumoto. 2021. Adaptive Observation of Emerging Cyber Attacks targeting Various IoT Devices. In 2021 IFIP/IEEE International Symposium on Integrated Network Management (IM). IEEE, 143--151.

[24]

Daniel Kopp, Matthias Wichtlhuber, Ingmar Poese, Jair Santanna, Oliver Hohlfeld, and Christoph Dietzel. 2019. DDoS hide & seek: on the effectiveness of a booter services takedown. In Proceedings of the Internet Measurement Conference. 65--72.

Digital Library

[25]

Johannes Krupp, Mohammad Karami, Christian Rossow, Damon McCoy, and Michael Backes. 2017. Linking amplification DDoS attacks to booter services. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 427--449.

[26]

Victor Le Pochat, Sourena Maroofi, Tom Van Goethem, Davy Preuveneers, Andrzej Duda, Wouter Joosen, Maciej Korczyński, et al. 2020. A practical approach for taking down avalanche botnets under real-world constraints. In Proceedings of the 27th Annual Network and Distributed System Security Symposium. Internet Society.

[27]

Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, and Xin Ouyang. 2017. Iotcandyjar: Towards an intelligent-interaction honeypot for iot devices. Black Hat USA (2017).

[28]

Yacin Nadji, Manos Antonakakis, Roberto Perdisci, David Dagon, and Wenke Lee. 2013. Beheading hydras: performing effective botnet takedowns. In Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. 121--132.

Digital Library

[29]

Yacin Nadji, Manos Antonakakis, Roberto Perdisci, and Wenke Lee. 2011. Understanding the Prevalence and Use of Alternative Plans in Malware with Network Games. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[30]

Matthias Neugschwandtner, Paolo Milani Comparetti, and Christian Platzer. 2011. Detecting Malware's Failover C&C Strategies with Squeeze. In Proceedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[31]

NFOservers. [n. d.]. NFOservers. https://www.nfoservers.com.

[32]

Arman Noroozian, Maciej Korczyński, Carlos Hernandez Gañan, Daisuke Makita, Katsunari Yoshioka, and Michel van Eeten. 2016. Who gets the boot? analyzing victimization by ddos-as-a-service. In International Symposium on Research in Attacks, Intrusions, and Defenses. Springer, 368--389.

[33]

Kevin Valakuzhy Ryan Court Kevin Snow Fabian Monrose Manos Antonakakis Omar Alrawi, Charles Lever. 2021. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle. In Procedings of the USENIX Security Symposium.

[34]

pyxyp inc. [n. d.]. VulDB vulnerability database. https://vuldb.com/?kb.about.

[35]

Silvia Sebastián and Juan Caballero. 2020. Avclass2: Massive malware tag extraction from av labels. In Procedings of the Annual Computer Security Applications Conference (ACSAC).

Digital Library

[36]

Rui Tanabe, Tatsuya Tamai, Akira Fujita, Ryoichi Isawa, Katsunari Yoshioka, Tsutomu Matsumoto, Carlos Gañán, and Michel Van Eeten. 2020. Disposable botnets: examining the anatomy of iot botnet infrastructure. In Proceedings of the International Conference on Availability, Reliability and Security (ARES).

Digital Library

[37]

Xabier Ugarte-Pedrero, Mariano Graziano, and Davide Balzarotti. 2019. A close look at a daily dataset of malware samples. ACM Transactions on Privacy and Security (TOPS) 22, 1 (2019), 1--30.

Digital Library

[38]

Valve Developer Community. 2022. Forum. https://developer.valvesoftware.com/wiki/Main_Page.

[39]

Pierre-Antoine Vervier and Yun Shen. 2018. Before toasters rise up: A view into the emerging iot threat landscape. In Proceedings of the International Symposium on Research in Attacks, Intrusions and Defenses (RAID).

[40]

VirusTotal. [n. d.]. VirusTotal Contributors. https://support.virustotal.com/hc/en-us/articles/115002146809-Contributors.

[41]

Shuofei Zhu, Jianjun Shi, Limin Yang, Boqin Qin, Ziyi Zhang, Linhai Song, and Gang Wang. 2020. Measuring and Modeling the Label Dynamics of Online Anti-Malware Engines. In Proceedings of the USENIX Security Symposium.

[42]

Albert Zsigovits. 2021. Mirai/Gafgyt Fork with New DDoS Modules Discovered. https://cujo.com/mirai-gafgyt-with-new-ddos-modules-discovered/.

Cited By

Almazarqi HWoodyard MMarnerides A(2024)Macroscopic Insights of IoT Botnet Dynamics Via AS-level Tolerance AssessmentICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622782(5244-5249)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622782
Jain VAlam SKrishnamurthy SFaloutsos M(2023)C2Store: C2 Server Profiles at Your FingertipsProceedings of the ACM on Networking10.1145/36291321:CoNEXT3(1-21)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629132

Recommendations

MalNet: A Large-Scale Image Database of Malicious Software
CIKM '22: Proceedings of the 31st ACM International Conference on Information & Knowledge Management

Computer vision is playing an increasingly important role in automated malware detection with the rise of the image-based binary representation. These binary images are fast to generate, require no feature engineering, and are resilient to popular ...
WormTerminator: an effective containment of unknown and polymorphic fast spreading worms
ANCS '06: Proceedings of the 2006 ACM/IEEE symposium on Architecture for networking and communications systems

The fast spreading worm is becoming one of the most serious threats to today's networked information systems. A fast spreading worm could infect hundreds of thousands of hosts within a few minutes. In order to stop a fast spreading worm, we need the ...
Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image ACM Conferences

IMC '22: Proceedings of the 22nd ACM Internet Measurement Conference

October 2022

796 pages

ISBN:9781450392594

DOI:10.1145/3517745

General Chairs:
Chadi Barakat
Inria, Université Côte d'Azur
,
Cristel Pelsser
University of Strasbourg
,
Program Chairs:
Theophilus A. Benson
Brown University
,
David Choffnes
Northeastern University

Copyright © 2022 Owner/Author.

This work is licensed under a Creative Commons Attribution International 4.0 License.

Sponsors

In-Cooperation

USENIX Assoc: USENIX Assoc

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 25 October 2022

Check for updates

Qualifiers

Research-article

Conference

IMC '22

Sponsor:

IMC '22: ACM Internet Measurement Conference

October 25 - 27, 2022

Nice, France

Acceptance Rates

Overall Acceptance Rate 277 of 1,083 submissions, 26%

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

2
Total Citations
View Citations
564
Total Downloads

Downloads (Last 12 months)210
Downloads (Last 6 weeks)36

Reflects downloads up to 10 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

Almazarqi HWoodyard MMarnerides A(2024)Macroscopic Insights of IoT Botnet Dynamics Via AS-level Tolerance AssessmentICC 2024 - IEEE International Conference on Communications10.1109/ICC51166.2024.10622782(5244-5249)Online publication date: 9-Jun-2024
https://doi.org/10.1109/ICC51166.2024.10622782
Jain VAlam SKrishnamurthy SFaloutsos M(2023)C2Store: C2 Server Profiles at Your FingertipsProceedings of the ACM on Networking10.1145/36291321:CoNEXT3(1-21)Online publication date: 28-Nov-2023
https://dl.acm.org/doi/10.1145/3629132

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents