Understanding Internet of Things Malware by Analyzing Endpoints in their Static Artifacts

TL;DR

This paper investigates IoT malware by analyzing endpoints involved in their ecosystem, using reverse-engineering and public scanner data to uncover patterns and dynamics that can inform future security measures.

Contribution

It introduces a comprehensive analysis of IoT malware endpoints through reverse-engineering and large-scale Internet data, revealing new insights into their roles and relationships.

Findings

Identified patterns between dropzones and target IPs.

Analyzed over 100 million endpoints in CIDR networks.

Provided insights into IoT malware ecosystem dynamics.

Abstract

The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection gives adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze IoT malware and focus on the endpoints reachable on the public Internet, that play an essential part in the IoT malware ecosystem. Namely, we analyze endpoints acting as dropzones and their targets to gain insights into the underlying dynamics in this ecosystem, such as the affinity between the dropzones and their target IP addresses, and the different patterns among endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and extract strings from them to obtain IP addresses. We further gather information about these endpoints from public Internet-wide scanners, such as Shodan and Censys. For the masked IP addresses, we examine the Classless Inter-Domain Routing (CIDR) networks accumulating to more than 100 million (78.2% of total active public IPv4 addresses) endpoints. Our investigation from four different perspectives provides profound insights into the role of endpoints in IoT malware attacks, which deepens our understanding of IoT malware ecosystems and can assist future defenses.