IoT Malware: Comprehensive Survey, Analysis Framework and Case Studies presented at blackhatUSA2018 2018

by Andrei Costin, Jonas Zaddach,

Summary : Computer malware in all its forms is nearly as old as the first PCs running commodity OSes, dating back at least 30 years. However, the number and the variety of "computing devices" dramatically increased during the last several years. Therefore, the focus of malware authors and operators slowly but steadily started shifting or expanding towards Internet of Things (IoT) malware.Unfortunately, at present there is no publicly available comprehensive study and methodology that collects, analyses, measures, and presents the (meta-)data related to IoT malware in a systematic and a holistic manner. In most cases, if not all, the resources on the topic are available as blog posts, sparse technical reports, or Systematization of Knowledge (SoK) papers deeply focused on a particular IoT malware strain (e.g., Mirai). Some other times those resources are already unavailable, or can become unavailable or restricted at any time. Moreover, many of such resources contain errors (e.g., wrong CVEs), omissions (e.g., hashes), limited perspectives (e.g., network behaviour only), or otherwise present incomplete or inaccurate analysis. Hence, all these factors leave unattended the main challenges of analysing, tracking, detecting, and defending against IoT malware in a systematic, effective and efficient way.This work attempts to bridge this gap. We start with mostly manual collection, archival, meta-information extraction and cross-validation of more than 637 unique resources related to IoT malware families. These resources relate to 60 1 IoT malware families, and include 260 resources related to 48 unique vulnerabilities used in the disclosed or detected IoT malware attacks. We then use the extracted information to establish as accurately as possible the timeline of events related to each IoT malware family and relevant vulnerabilities, and to outline important insights and statistics. For example, our analysis shows that the mean and median CVSS scores of all analyzed vulnerabilities employed by the IoT malware families are quite modest yet: 6.9 and 7.1 for CVSSv2, and 7.5 and 7.5 for CVSSv3 respectively. Moreover, the public knowledge to defend against or prevent those vulnerabilities could have been used, on average, at least 90 days before the first malware samples were submitted for analysis. Finally, to help validate our work as well as to motivate its continuous growth and improvement by the research community, we open-source our datasets and release our IoT malware analysis framework and our IoT malware analysis framework.