DOCSLIB.ORG

The Circle of Life: a Large-Scale Study of the Iot Malware Lifecycle

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text

Load more

The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle Omar Alrawi, Charles Lever, and Kevin Valakuzhy, Georgia Institute of Technology; Ryan Court and Kevin Snow, Zero Point Dynamics; Fabian Monrose, University of North Carolina at Chapel Hill; Manos Antonakakis, Georgia Institute of Technology https://www.usenix.org/conference/usenixsecurity21/presentation/alrawi-circle This paper is included in the Proceedings of the 30th USENIX Security Symposium. August 11–13, 2021 978-1-939133-24-3 Open access to the Proceedings of the 30th USENIX Security Symposium is sponsored by USENIX. The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle Omar Alrawi?, Charles Lever?, Kevin Valakuzhy?, Ryan Court}, Kevin Snow}, Fabian Monrose†, Manos Antonakakis? ? Georgia Institute of Technology {alrawi, chazlever, kevinv, manos}@gatech.edu } Zero Point Dynamics {rccourt, kevin}@zeropointdynamics.com † University of North Carolina at Chapel Hill [email protected] Abstract ences. For RQ2, we qualitatively evaluate how traditional Our current defenses against IoT malware may not be ade- anti-malware techniques work and judge their efficacy based quate to remediate an IoT malware attack similar to the Mirai on empirical observations from the IoT malware ecosystem. botnet. This work seeks to investigate this matter by systemat- Answering RQ1 allows the security community to under- ically and empirically studying the lifecycle of IoT malware stand the evolutionary trend of IoT malware and respond and comparing it with traditional malware that target desktop accordingly. For example, how do malware adapt to infect and mobile platforms. We present a large-scale measurement and persist on IoT devices? Are there trends that can allow of more than 166K Linux-based IoT malware samples col- us to better predict the impact of IoT malware on future IoT lected over a year. We compare our results with prior works technologies? Compared to desktop and mobile malware, are by systematizing desktop and mobile malware studies into a IoT malware capabilities bound by the device’s resources? novel framework and answering key questions about defense How does the IoT malware ecosystem impact different stake- readiness. Based on our findings, we deduce that the required holders? Furthermore, RQ2 allows the security community to technology to defend against IoT malware is available, but gauge if there are sufficient defensive techniques to counter a we conclude that there are insufficient efforts in place to deal fast-evolving IoT threat. with a large-scale IoT malware infection breakout. To date, there have been several efforts to investigate IoT malware [1]–[8]. However, these efforts either focus on in- 1 Introduction depth analysis of a single malware family or rely on small malware corpora collected over short periods. Nonetheless, The Mirai botnet set a record for the largest distributed denial these efforts provide a fascinating glimpse into the IoT threat of service (DDoS) attack and drew the attention of many se- landscape and demonstrate the need for additional research. curity professionals [1]. In the aftermath of the attack, many Moreover, current threat frameworks are either too complex new developments have shaped the IoT malware ecosystem. with a focus on traditional malware, such as the MITRE Therefore, studying the threat lifecycle for IoT malware is ATT&CK [9] framework, or study only the infection stage vital for securing IoT devices. For example, the Mirai botnet of IoT malware [10], [11]. Our work seeks to address these infected devices by using default usernames and passwords, gaps with a comprehensive evaluation of the IoT malware but current IoT malware variants target unpatched vulnera- lifecycle. We guide our study by a principled framework that bilities. We seek to study how the emerging IoT malware characterizes various stages of an IoT malware’s lifecycle, ecosystem has evolved since Mirai and whether current de- and we compare our findings with traditional malware. fenses for traditional malware can protect against it. Our work makes four contributions. First, we propose a To investigate this matter, we need to systematically un- novel analysis framework that captures the threat lifecycle of derstand how IoT malware infect systems, deploy payloads, IoT malware, which considers the infection vectors, payload persist on systems, abuse resources, and operate their infras- properties, persistence methods, capabilities, and C&C infras- tructure. We guide our analysis by answering two research tructure. Second, we use our framework to systematize 25 questions (RQ): papers that study traditional malware. Third, we characterize • RQ1: Is IoT malware different than traditional malware? IoT malware by examining more than 166K samples spanning • RQ2: Are current anti-malware techniques effective 6 different system architectures collected over a year. Fourth, against IoT malware? we make available the largest and most comprehensive IoT To answer RQ1, we compare the IoT malware lifecycle with malware corpus to date and include their analysis artifacts, traditional malware and highlight the similarities and differ- which can be found at https://badthings.info. USENIX Association 30th USENIX Security Symposium 3505 Our results show that IoT malware differs from traditional hensive studies examine individual components of the IoT malware in a few key areas including infection vectors and malware lifecycle. For example, several works [3], [5], [10], C&C communication. We find signature-based detection lacks [37] examine IoT malware infection tactics and the payload support and coverage for many IoT malware variants and that properties. Other works [6], [38] look at how to detect IoT at least 15% of new variants utilize packing to evade detection. malware by studying its binary static structural features. De Additionally, IoT malware uses various persistent methods Donno et al. [11] organize IoT malware attack capabilities to overcome read-only file systems found in IoT devices by into a taxonomy while Choi et al. [4] study the role that C&C reusing vendor-specific tools. We find a large array of capa- infrastructure plays in the lifecycle of IoT malware. bilities that have been incorporated into IoT malware such as Additional efforts [39], [40] investigate scanners on the in- proxy services, device bricking, and information theft. We ob- ternet to identify if they are infected by IoT malware. Finally, serve that the current IoT malware ecosystem has not reached Çetin et al. [41] present a unique perspective on IoT malware its full potential but may become a severe threat due to the infection cleanup by combining multiple data sources and a sheer number of IoT devices coming online. We conclude user study to measure remediation efforts. Our work differs with a set of recommendations for different stakeholders in- in two aspects, first we propose a five-component framework cluding device owners, device vendors, and ISP operators. that captures the entire lifecycle of IoT malware, which we use to compare with desktop and mobile malware. Second, 2 Background and Related Work we conduct the largest and most comprehensive empirical measurement for more than 166K Linux-based IoT malware Malware targeting embedded Linux-based systems was first samples collected over an entire year. reported in 2008 with the discovery of the Hydra IRC bot [12]. Since then, several other bots have entered the scene with var- 3 Framework and Methodology ious capabilities. Such bots include psyb0t [13], Chuck Nor- ris [14], Carna [15], Tsunami [16], Aidra [17], Dofloo [18], Next, we describe the data sources, methodology, and the Gafgyt [19], Elknot [20], XOR.DDoS [21], Wifatch [22], The- framework that we use for the comparative analysis. We define Moon [23], LUABot [24], Remaiten [25], NewAidra [26], each component’s subcategories and present a summary of our and Moose [27]. Each family had different purposes such results in Table1. AppendixA presents an extended analysis as credential theft [27], cryptocurrency mining [28], device of desktop and mobile malware from prior works. destruction [29], internet-wide scanning [15], and cleaning up infected devices [2], [22]. IoT malware development has 3.1 Comparative Framework many considerations due to the heterogeneity of devices. For example, an IP camera and a set top box can have differ- Our framework looks at five components for malware’s lifecy- ent processors, C libraries (uclibc, musel, glibc), and kernel cle. We study the infection vector, the payload properties, the versions/features (Linux 2.6, 3.2, 4.6, etc.). persistence methods, the capabilities, and the C&C infrastruc- The release of Mirai’s source code and recent develop- ture. For each component, we identify techniques discussed ments in embedded system toolchains has made it easier for in the literature for traditional malware (desktop/mobile) and IoT malware development. Antonakakis et al. [1] note that empirically measure it for IoT malware. The following defines Mirai had a wide impact due to the fact that its small code each component: base runs on diverse devices, spreads efficiently, and targets • Infection Vector is how the malware attacks a system. a large number of insecure IoT devices on the internet [30], • Payload is the dropped malware code after exploitation. [31]. The Mirai botnet took down critical DNS infrastruc- • Persistence is how the malware installs on a system. ture [32], disconnected over 900K internet subscribers [33], • Capabilities are the functions in the malware code. and attacked a large cloud service provider [34]. Soon after • C&C Infrastructure is how the malware communicates the release of Mirai’s code, many variants began to surface with the operator. with enhancement to its infection vector, payload obfusca- We study 25 papers from prior works to qualitatively de- tion, and command-and-control (C&C) communication. For rive subcategories under each component, which are in Ap- example, Satori [35], a Mirai variant, gained momentum as it pendixA. For example, we cite the work of Holz et al. [42] exploited a new vulnerability in Huawei routers.
Recommended publications
  • The Tangled Genealogy of Iot Malware

    The Tangled Genealogy of Iot Malware

    The Tangled Genealogy of IoT Malware Emanuele Cozzi Pierre-Antoine Vervier Matteo Dell’Amico emanuele:cozzi@eurecom:fr France della@linux:it EURECOM France Sophia Antipolis, France Yun Shen Leyla Bilge Davide Balzarotti yun:shen@nortonlifelock:com leylya:yumer@nortonlifelock:com davide:balzarotti@eurecom:fr NortonLifeLock, Inc. NortonLifeLock, Inc. EURECOM Reading, United Kingdom Sophia Antipolis, France Sophia Antipolis, France ABSTRACT 1 INTRODUCTION The recent emergence of consumer off-the-shelf embedded (IoT) Over the last few years we have witnessed an increase in both the devices and the rise of large-scale IoT botnets has dramatically in- volume and sophistication of malware targeting IoT systems. Tra- creased the volume and sophistication of Linux malware observed ditional botnets and DDoS tools now cohabit with crypto-mining, in the wild. The security community has put a lot of effort to docu- spyware, ransomware, and targeted samples designed to conduct ment these threats but analysts mostly rely on manual work, which cyber espionage. To make things worse, the public availability of makes it difficult to scale and hard to regularly maintain. Moreover, the source code associated with some of the main IoT malware the vast amount of code reuse that characterizes IoT malware calls families have paved the way for myriads of variants and tangled for an automated approach to detect similarities and identify the relationships of similarities and code reuse. To make sense of this phylogenetic tree of each family. complex evolution, the security community has devoted a consider- In this paper we present the largest measurement of IoT malware able effort to analyze and document these emerging threats, mostly to date.
  • Early Detection of Mirai-Like Iot Bots in Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis

    Early Detection of Mirai-Like Iot Bots in Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis

    Early Detection Of Mirai-Like IoT Bots In Large-Scale Networks Through Sub-Sampled Packet Traffic Analysis Ayush Kumar and Teng Joon Lim Department of Electrical and Computer Engineering, National University of Singapore, Singapore 119077 [email protected], [email protected] Abstract. The widespread adoption of Internet of Things has led to many secu- rity issues. Recently, there have been malware attacks on IoT devices, the most prominent one being that of Mirai. IoT devices such as IP cameras, DVRs and routers were compromised by the Mirai malware and later large-scale DDoS at- tacks were propagated using those infected devices (bots) in October 2016. In this research, we develop a network-based algorithm which can be used to detect IoT bots infected by Mirai or similar malware in large-scale networks (e.g. ISP network). The algorithm particularly targets bots scanning the network for vul- nerable devices since the typical scanning phase for botnets lasts for months and the bots can be detected much before they are involved in an actual attack. We analyze the unique signatures of the Mirai malware to identify its presence in an IoT device. The prospective deployment of our bot detection solution is discussed next along with the countermeasures which can be taken post detection. Further, to optimize the usage of computational resources, we use a two-dimensional (2D) packet sampling approach, wherein we sample the packets transmitted by IoT devices both across time and across the devices. Leveraging the Mirai signatures identified and the 2D packet sampling approach, a bot detection algorithm is pro- posed.
  • Early Detection of Iot Malware Network Activity Using Machine Learning Techniques

    Early Detection of Iot Malware Network Activity Using Machine Learning Techniques

    EDIMA: Early Detection of IoT Malware Network Activity Using Machine Learning Techniques Ayush Kumar and Teng Joon Lim Department of Electrical and Computer Engineering National University of Singapore Singapore [email protected], [email protected] Abstract—The widespread adoption of Internet of Things has open TELNET ports and attempting to login using a built-in led to many security issues. Post the Mirai-based DDoS attack dictionary of commonly used credentials (Remaiten, Hajime), in 2016 which compromised IoT devices, a host of new malware or more sophisticated malware that exploit software vulner- using Mirai’s leaked source code and targeting IoT devices have cropped up, e.g. Satori, Reaper, Amnesia, Masuta etc. These abilities to execute remote command injections on vulnera- malware exploit software vulnerabilities to infect IoT devices ble devices (Reaper, Satori, Masuta, Linux.Darlloz, Amnesia instead of open TELNET ports (like Mirai) making them more etc.). Even though TELNET port scanning can be countered difficult to block using existing solutions such as firewalls. In by deploying firewalls (at the user access gateway) which this research, we present EDIMA, a distributed modular solution block incoming/outgoing TELNET traffic, malware exploiting which can be used towards the detection of IoT malware network activity in large-scale networks (e.g. ISP, enterprise networks) software vulnerabilities involving application protocols such during the scanning/infecting phase rather than during an attack. as HTTP, SOAP, PHP etc. are more difficult to block using EDIMA employs machine learning algorithms for edge devices’ firewalls because those application protocols form a part of traffic classification, a packet traffic feature vector database, legitimate traffic as well.
  • Mevlüt Serkan Tok Tez

    Mevlüt Serkan Tok Tez

    TOBB EKONOMİ VE TEKNOLOJİ ÜNİVERSİTESİ FEN BİLİMLERİ ENSTİTÜSÜ NESNELERİN İNTERNETİNDE BOTNETLER: MIRAI ZARARLI YAZILIMI ÜZERİNE BİR ÇALIŞMA YÜKSEK LİSANS TEZİ Mevlüt Serkan TOK Bilgisayar Mühendisliği Anabilim Dalı Bilgi Güvenliği Tez Danışmanı: Prof. Dr. Ali Aydın SELÇUK Anabilim Dalı : Herhangi Mühendislik, Bilim Programı : Herhangi Program AĞUSTOS 2019 Fen Bilimleri Enstitüsü Onayı ……………………….. Prof. Dr. Osman EROĞUL Müdür Bu tezin Yüksek Lisans derecesinin tüm gereksinimlerini sağladığını onaylarım. ………………………. Prof. Dr. Oğuz ERGİN Anabilimdalı Başkanı TOBB ETÜ, Fen Bilimleri Enstitüsü’nün 171111132 numaralı Yüksek Lisans Öğrencisi Mevlüt Serkan TOK ‘un ilgili yönetmeliklerin belirlediği gerekli tüm şartları yerine getirdikten sonra hazırladığı “NESNELERİN İNTERNETİNDE BOTNETLER: MİRAİ ZARARLI YAZILIMI ÜZERİNE BİR ÇALIŞMA” başlıklı tez 08.08.2019 tarihinde aşağıda imzaları olan jüri tarafından kabul edilmiştir. Tez Danışmanı : Prof. Dr. Ali Aydın SELÇUK .............................. TOBB Ekonomi ve Teknoloji Üniversitesi Jüri Üyeleri : Prof. Dr. Suat ÖZDEMİR (Başkan) ............................. Gazi Üniversitesi Prof. Dr. Kemal BIÇAKCI .............................. TOBB Ekonomi ve Teknoloji Üniversitesi ii TEZ BİLDİRİMİ Tez içindeki bütün bilgilerin etik davranış ve akademik kurallar çerçevesinde elde edilerek sunulduğunu, alıntı yapılan kaynaklara eksiksiz atıf yapıldığını, referansların tam olarak belirtildiğini ve ayrıca bu tezin TOBB ETÜ Fen Bilimleri Enstitüsü tez yazım kurallarına uygun olarak hazırlandığını bildiririm. Mevlüt
  • Before Toasters Rise Up: a View Into the Emerging Iot Threat Landscape

    Before Toasters Rise Up: a View Into the Emerging Iot Threat Landscape

    Before Toasters Rise Up: A View Into the Emerging IoT Threat Landscape Pierre-Antoine Vervier and Yun Shen Symantec Research Labs {pierre-antoine_vervier,yun_shen}@symantec.com Abstract. The insecurity of smart Internet-connected or so-called “IoT” devices has become more concerning than ever. The existence of bot- nets exploiting vulnerable, often poorly secured and configured Internet- facing devices has been known for many years. However, the outbreak of several high-profile DDoS attacks sourced by massive IoT botnets, such as Mirai, in late 2016 served as an indication of the potential dev- astating impact that these vulnerable devices represent. Since then, the volume and sophistication of attacks targeting IoT devices have grown steeply and new botnets now emerge every couple of months. Although a lot of research is being carried out to study new spurs of attacks and malware, we still lack a comprehensive overview of the current state of the IoT thread landscape. In this paper, we present the insights gained from operating low- and high-interaction IoT honeypots for a period of six months. Namely, we see that the diversity and sophistication of IoT botnets are both growing. While Mirai is still a dominating actor, it now has to coexist with other botnets such as Hajime and IoT Reaper. Cy- bercriminals also appear to be packing their botnets with more and more software vulnerability exploits targeting specific devices to increase their infection rate and win the battle against the other competing botnets. Finally, while the IoT malware ecosystem is currently not as sophisti- cated as the traditional one, it is rapidly catching up.
  • 10 Years of Iot Malware: a Feature-Based Taxonomy

    10 Years of Iot Malware: a Feature-Based Taxonomy

    10 Years of IoT Malware: a Feature-Based Taxonomy Benjamin Vignau∗, Raphaël Khoury∗, Sylvain Hallé∗ ∗Laboratoire d’informatique formelle Département d’informatique et de mahtématique Université du Québec à Chicoutimi, Canada Email: {benjamin.vignau1, rkhoury}@uqac.ca, [email protected] Abstract—Over the past decade, there has been a rapidly 2018, that caused considerable damage to the IoT ecosystem. growing interest in IoT-connected devices. But as is usually the Most of these botnets were used to launch DDoS attacks, but case with computer systems and networks, malicious individuals we do not limit ourselves to this class of attack and instead soon noticed that these objects could be exploited for criminal purposes. The problem is particularly salient since the firmware cast a wide net over all IoT malware. Other objectives of IoT used in many Internet connected devices were developed without malware include industrial spying and crypto currency mining, taking into consideration the expertise and best security practices amongst other things. gained over the past several years by programmers in other Our analysis focuses on the features and capabilities of areas. Multiple attacks on IoT devices took place therefore over each malware and highlights the relationships of feature the last decade, culminating with the largest ever recorded DDoS attack, the Mirai botnet, which took advantage of the weaknesses borrowing that can be observed between malware. To make in the security of the IoT. In this survey, we seek to shed this relationship more salient, we propose two new visuals light on the evolution of the IoT malware. We compare the representations of the evolution of IoT malware over time.

  • Your Smart Devices Put You at Risk

    Your smart devices are a security risk Table of contents Background | Method 2 Problems in the IoT 3 Timeline of problems in the IoT 4 Taxonomy of IoT vulnerabilities in context 8 User behaviors, attitudes, and vulnerabilities 11 How to protect our IoT devices 13 Conclusion 19 Background Method The Internet of Things (IoT) is everywhere. But, To gain a better understanding of the user aspect with the number of privacy and security issues of IoT, we conducted a survey via CINT. A total of they can expose us to, is it really that “smart” to 7,000 people were surveyed, with 1,000 people bring these devices into our homes? Do you from each of the following countries: Australia, always do everything you can to protect your IoT Canada, France, Germany, the Netherlands, the devices? Blame is often put on users, but they UK, and US. Participants formed representative are only the final point of a long line of problems. samples across gender, age, family situation, and income levels. The questions revolved around There is a strong community of cybersecurity which IoT devices people had in their homes, researchers — both in academia and the industry, what measures they took to secure them, and often working with government agencies — who whose responsibility they thought it was to ensure are committed to finding vulnerabilities, making the security of IoT devices. The results were the risks known, and helping to fix them. cross-referenced with a new user-focused taxonomy of the main vulnerabilities IoT devices But what if you can’t find who to go to when you are exposed to.
  • WHY ROUTERS ARE the NEW BULLSEYE in CYBER ATTACKS Anurag Shandilya K7 Computing, India

    WHY ROUTERS ARE the NEW BULLSEYE in CYBER ATTACKS Anurag Shandilya K7 Computing, India

    WWW.VIRUSBULLETIN.COM/CONFERENCE 2019 LONDON 2 – 4 October 2019 ABSOLUTELY ROUTED!! WHY ROUTERS ARE THE NEW BULLSEYE IN CYBER ATTACKS Anurag Shandilya K7 Computing, India [email protected] ABSTRACT Routers are ubiquitous and highly vulnerable to attack. Despite being the central nervous system of any network, routers are disregarded when it comes to security, as can be proven by the fact that, although vulnerabilities in routers are identifi ed and reported, most devices remain unpatched, making easy targets for cybercriminals. In recent years we have seen threat actors shift their focus from complex operating system- and network-based attacks to comparatively simple router-based ones. Other than merely brute-forcing credentials, cyber gangs have been exploiting known and zero-day router vulnerabilities to host malicious code. CVE-2018-14847 is a vulnerability affecting MikroTik RouterOS from v6.29 to v6.42, which allowed arbitrary fi le read and write over WinBox port 8291, reported in April 2018. Although a patch was available almost immediately, Coinhive, a cryptominer, exploited this vulnerability from July 2018 onwards to inject Monero mining code into the error page served up by the device when a user accessed any HTTP page. CVE-2018-10561 was reported in DZS’ GPON routers, which was then exploited by multiple pieces of router malware including Satori and Hajime to carry out their botnet operations. The Satori malware family exploited this vulnerability to download and execute shell script on the device from the /tmp directory. More recently, CVE-2019-1652 has been reported, affecting Cisco routers and allowing command injection in the router’s certifi cate generation module.
  • Understanding and Securing Device Vulnerabilities Through Automated

    Understanding and Securing Device Vulnerabilities Through Automated

    Understanding and Securing Device Vulnerabilities through Automated Bug Report Analysis Xuan Feng1;2;5,∗ Xiaojing Liao2, XiaoFeng Wang2, Haining Wang3 Qiang Li4, Kai Yang1;5, Hongsong Zhu1;5, Limin Sun1;5† 1 Beijing Key Laboratory of IoT Information Security Technology, IIE,‡ CAS, China 2 Department of Computer Science, Indiana University Bloomington, USA 3 Department of Electrical and Computer Engineering, University of Delaware, USA 4 School of Computer and Information Technology, Beijing Jiaotong University, China 5 School of Cyber Security, University of Chinese Academy of Sciences , China Abstract in new security challenges: they are more vulnerable than Recent years have witnessed the rise of Internet-of-Things conventional computing systems. IoT systems may fall into (IoT) based cyber attacks. These attacks, as expected, are an adversary’s grip once their vulnerabilities are exposed. launched from compromised IoT devices by exploiting secu- Indeed, recent years have seen a wave of high-profile IoT rity flaws already known. Less clear, however, are the fun- related cyber attacks, with prominent examples including IoT damental causes of the pervasiveness of IoT device vulner- Reaper [25], Hajime [24], and Mirai [41]. Particularly, com- abilities and their security implications, particularly in how promised IoT systems are becoming the mainstay for today’s they affect ongoing cybercrimes. To better understand the botnets, playing a central role in recent distributed denial-of- problems and seek effective means to suppress the wave of service attacks and other cybercrimes [39]. An example is IoT-based attacks, we conduct a comprehensive study based Mirai, which involved hundreds of thousands of IoT devices on a large number of real-world attack traces collected from and generated an attack volume at 600 Gbps, overwhelming our honeypots, attack tools purchased from the underground, Krebs on Security, OVH, and Dyn.
  • UNIVERSITY of CALIFORNIA RIVERSIDE Towards a Systematic

    UNIVERSITY of CALIFORNIA RIVERSIDE Towards a Systematic

    UNIVERSITY OF CALIFORNIA RIVERSIDE Towards a Systematic Analysis of IoT Malware A Dissertation submitted in partial satisfaction of the requirements for the degree of Doctor of Philosophy in Computer Science by Ahmad Darki September 2020 Dissertation Committee: Prof. Michalis Faloutsos, Chairperson Prof. Nael Abu-Ghazaleh Prof. Srikanth Krishnamurthy Prof. Heng Yin Copyright by Ahmad Darki 2020 The Dissertation of Ahmad Darki is approved: Committee Chairperson University of California, Riverside Acknowledgments The work presented in this dissertation would not have been possible without the help of a big number of people who have supported me and my decisions in pursuing PhD. I would like to start with expressing my sincerest gratitude and appreciation to my PhD advisor Prof. Michalis Faloutsos. Prof. Faloutsos's advice and support taught me to think critically not only about my PhD work but also about my everyday life. I know I will always be grateful for this opportunity and remember the lessons I learnt for the rest of my life. It is unfortunate that I was not able to have an opportunity to say these words in person, due to COVID19. Thank you Michalis, and I hope to see you again soon. I am thankful for the committee members, Prof. Nael Abu-Ghazaleh Prof. Srikanth Krishnamurthy, and Prof. Heng Yin for their constructive comments and inputs. Their com- ments helped shape up my dissertation and the research topic. Also, I would like deeply thank Prof. Zhiyun Qian for his insightful comments in the beginning of my dissertation. I would like to thank my coauthors who have helped me in publications: Prof.
  • Internet of Things Botnet (Mirai)

    Internet of Things Botnet (Mirai)

    Sci.Int.(Lahore),31(4),607-616,2019 ISSN 1013-5316;CODEN: SINTE 8 607 INTERNET OF THINGS BOTNET (MIRAI): A SYSTEMATIC REVIEW 1*Burair Saad Hameed, 2Selvakumar Manickam, 3Kamal Alieyan National Advanced IPv6 Centre (IPv6) 1,2,3Universiti Sains Malaysia, 11800 Gelugor, Penang, Malaysia. *Correspondence: [email protected] ABSTRACT:The Internet of Things (IoT) came into being as the consequence of new and rapid advancements in connectivity and technology. The research focuses on the effects of Botnet in relation to IoT by systematically reviewing 49 peer-reviewed scholarly journal articles. The study of these articles brings to light varying degrees of problems discussed therein and the different stages and procedures adapted to attain the maximum position to solve the problems presented. While investigating the databases of SCOPUS and GOOGLE SCHOLAR, this research will examine such problems. Keywords: IoT, Mirai Botnet, Cyber Attacks, Detection, Review INTRODUCTION they still employ the same methods of infiltration as the The technological world is recently plagued with increasing original malware. This goes a long way to show that IoT rates of security breach using IoT. The IoT is an essential device vendors are careless by neglecting to implement tool for hackers to conduct their cyber attacks, as they serve even the basics of security practices. Instead, IoT botnets as the weak entry point to infiltrate a chain of modern receive even more attention from researchers [6, 7]. computer networks. The IoT is very numerous, even though However, there is a possibility of the creation of even more its computational capabilities are limited. One major chronic attacks which will disrupt different web activities feature of the IoT is that they are connected to the internet and could even affect the infrastructural settings of the always and therefore, constitute several flaws/weaknesses, internet itself.
  • The Circle of Life: a Large-Scale Study of the Iot Malware Lifecycle

    The Circle of Life: a Large-Scale Study of the Iot Malware Lifecycle

    The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle Omar Alrawi?, Charles Lever?, Kevin Valakuzhy?, Ryan Court}, Kevin Snow}, Fabian Monrose†, Manos Antonakakis? ? Georgia Institute of Technology {alrawi, chazlever, kevinv, manos}@gatech.edu } Zero Point Dynamics {rccourt, kevin}@zeropointdynamics.com † University of North Carolina at Chapel Hill [email protected] Abstract RQ2, we qualitatively evaluate how traditional anti-malware Our current defenses against IoT malware may not be ade- techniques work and judge their efficacy based on empirical quate to remediate an IoT malware attack similar to the Mirai observations from the IoT malware ecosystem. botnet. This work seeks to investigate this matter by systemat- Answering RQ1 allows the security community to under- ically and empirically studying the lifecycle of IoT malware stand the evolutionary trend of IoT malware and respond and comparing it with traditional malware that target desktop accordingly. For example, how do malware adapt to infect and mobile platforms. We present a large-scale measurement and persist on IoT devices? Are there trends that can allow of more than 166K Linux-based IoT malware samples col- us to better predict the impact of IoT malware on future IoT lected over a year. We compare our results with prior works technologies? Compared to desktop and mobile malware, are by systematizing desktop and mobile malware studies into a IoT malware capabilities bound by the device’s resources? novel framework and answering key questions about defense How does the IoT malware ecosystem impact different stake- readiness. Based on our findings, we deduce that the required holders? Furthermore, RQ2 allows the security community to technology to defend against IoT malware is available, but gauge if there are sufficient defensive techniques to counter a we conclude that there are insufficient efforts in place to deal fast-evolving IoT threat.