Understanding Internet of Things Malware by Analyzing Endpoints in their Static Artifacts
The lack of security measures among the Internet of Things (IoT) devices and their persistent online connection gives adversaries a prime opportunity to target them or even abuse them as intermediary targets in larger attacks such as distributed denial-of-service (DDoS) campaigns. In this paper, we...
Saved in:
| Main Authors | , , , , , , , , , |
|---|---|
| Format | Journal Article |
| Language | English |
| Published |
25.03.2021
|
| Subjects | |
| Online Access | Get full text |
| DOI | 10.48550/arxiv.2103.14217 |
Cover
| Abstract | The lack of security measures among the Internet of Things (IoT) devices and
their persistent online connection gives adversaries a prime opportunity to
target them or even abuse them as intermediary targets in larger attacks such
as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze
IoT malware and focus on the endpoints reachable on the public Internet, that
play an essential part in the IoT malware ecosystem. Namely, we analyze
endpoints acting as dropzones and their targets to gain insights into the
underlying dynamics in this ecosystem, such as the affinity between the
dropzones and their target IP addresses, and the different patterns among
endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and
extract strings from them to obtain IP addresses. We further gather information
about these endpoints from public Internet-wide scanners, such as Shodan and
Censys. For the masked IP addresses, we examine the Classless Inter-Domain
Routing (CIDR) networks accumulating to more than 100 million (78.2% of total
active public IPv4 addresses) endpoints. Our investigation from four different
perspectives provides profound insights into the role of endpoints in IoT
malware attacks, which deepens our understanding of IoT malware ecosystems and
can assist future defenses. |
|---|---|
| AbstractList | The lack of security measures among the Internet of Things (IoT) devices and
their persistent online connection gives adversaries a prime opportunity to
target them or even abuse them as intermediary targets in larger attacks such
as distributed denial-of-service (DDoS) campaigns. In this paper, we analyze
IoT malware and focus on the endpoints reachable on the public Internet, that
play an essential part in the IoT malware ecosystem. Namely, we analyze
endpoints acting as dropzones and their targets to gain insights into the
underlying dynamics in this ecosystem, such as the affinity between the
dropzones and their target IP addresses, and the different patterns among
endpoints. Towards this goal, we reverse-engineer 2,423 IoT malware samples and
extract strings from them to obtain IP addresses. We further gather information
about these endpoints from public Internet-wide scanners, such as Shodan and
Censys. For the masked IP addresses, we examine the Classless Inter-Domain
Routing (CIDR) networks accumulating to more than 100 million (78.2% of total
active public IPv4 addresses) endpoints. Our investigation from four different
perspectives provides profound insights into the role of endpoints in IoT
malware attacks, which deepens our understanding of IoT malware ecosystems and
can assist future defenses. |
| Author | Nyang, DaeHun Chen, Songqing Alasmary, Hisham Wang, An Choi, Jinchun Alabduljabbar, Abdulrahman Spaulding, Jeffrey Awad, Amro Mohaisen, David Anwar, Afsah |
| Author_xml | – sequence: 1 givenname: Afsah surname: Anwar fullname: Anwar, Afsah – sequence: 2 givenname: Jinchun surname: Choi fullname: Choi, Jinchun – sequence: 3 givenname: Abdulrahman surname: Alabduljabbar fullname: Alabduljabbar, Abdulrahman – sequence: 4 givenname: Hisham surname: Alasmary fullname: Alasmary, Hisham – sequence: 5 givenname: Jeffrey surname: Spaulding fullname: Spaulding, Jeffrey – sequence: 6 givenname: An surname: Wang fullname: Wang, An – sequence: 7 givenname: Songqing surname: Chen fullname: Chen, Songqing – sequence: 8 givenname: DaeHun surname: Nyang fullname: Nyang, DaeHun – sequence: 9 givenname: Amro surname: Awad fullname: Awad, Amro – sequence: 10 givenname: David surname: Mohaisen fullname: Mohaisen, David |
| BackLink | https://doi.org/10.48550/arXiv.2103.14217$$DView paper in arXiv |
| BookMark | eNqFzrsOgkAQheEttPD2AFbOC4gsl2hLDEYLK7GwIiMssgkOZHei4tMrxN7qJCd_8Y3FgGpSQsyl6wSbMHRXaF764XjS9R0ZeHI9Epcz5cpYRso13eBArAwphrqApPw-Fo5YPdEouLYQEVbtu-tiyptaE1vQBFwqbeDEyDqDyLAuMGM7FcMCK6tmv52IxS5Otvtlj0gbo-9o2rTDpD3G_198APDHQcw |
| ContentType | Journal Article |
| Copyright | http://creativecommons.org/publicdomain/zero/1.0 |
| Copyright_xml | – notice: http://creativecommons.org/publicdomain/zero/1.0 |
| DBID | AKY GOX |
| DOI | 10.48550/arxiv.2103.14217 |
| DatabaseName | arXiv Computer Science arXiv.org |
| DatabaseTitleList | |
| Database_xml | – sequence: 1 dbid: GOX name: arXiv.org url: http://arxiv.org/find sourceTypes: Open Access Repository |
| DeliveryMethod | fulltext_linktorsrc |
| ExternalDocumentID | 2103_14217 |
| GroupedDBID | AKY GOX |
| ID | FETCH-arxiv_primary_2103_142173 |
| IEDL.DBID | GOX |
| IngestDate | Wed Jul 23 02:01:01 EDT 2025 |
| IsDoiOpenAccess | true |
| IsOpenAccess | true |
| IsPeerReviewed | false |
| IsScholarly | false |
| Language | English |
| LinkModel | DirectLink |
| MergedId | FETCHMERGED-arxiv_primary_2103_142173 |
| OpenAccessLink | https://arxiv.org/abs/2103.14217 |
| ParticipantIDs | arxiv_primary_2103_14217 |
| PublicationCentury | 2000 |
| PublicationDate | 2021-03-25 |
| PublicationDateYYYYMMDD | 2021-03-25 |
| PublicationDate_xml | – month: 03 year: 2021 text: 2021-03-25 day: 25 |
| PublicationDecade | 2020 |
| PublicationYear | 2021 |
| Score | 3.5093107 |
| SecondaryResourceType | preprint |
| Snippet | The lack of security measures among the Internet of Things (IoT) devices and
their persistent online connection gives adversaries a prime opportunity to
target... |
| SourceID | arxiv |
| SourceType | Open Access Repository |
| SubjectTerms | Computer Science - Cryptography and Security |
| Title | Understanding Internet of Things Malware by Analyzing Endpoints in their Static Artifacts |
| URI | https://arxiv.org/abs/2103.14217 |
| hasFullText | 1 |
| inHoldings | 1 |
| isFullTextHit | |
| isPrint | |
| link | http://utb.summon.serialssolutions.com/2.0.0/link/0/eLvHCXMwdV1LS8QwEB529-RFFJX1PQevxZo0jT2K7LoIqxcX6qk0yRQK0l3a-vz15rHiXvaaDGHIg_lmku8LwFVSuo1TUaRFaqJEZDq6rRyBmUvSieSMpCMKz5_S2SJ5zEU-APzjwpTtV_0R9IFVd23zEW7PsoXNQxgy5pKrh-c8XE56Ka61_b-dxZi-aSNITPdgd43u8C4sxz4MqDmA18UmgQRDDY56XFYYfs3Eefn2WbaE6hu9SMiPs5s0ZrWsm77DukFfz0eHDGvth3eEhO4QLqeTl_tZ5J0pVkE5onB-Ft5PfgQjm9_TGDBOy1RpFUuTUWJiqW4qYSrJlBAyk4qOYbxtlJPtXaeww9zzi5hHTJzBqG_f6dzGz15d-En8BQ5odcg |
| linkProvider | Cornell University |
| openUrl | ctx_ver=Z39.88-2004&ctx_enc=info%3Aofi%2Fenc%3AUTF-8&rfr_id=info%3Asid%2Fsummon.serialssolutions.com&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=article&rft.atitle=Understanding+Internet+of+Things+Malware+by+Analyzing+Endpoints+in+their+Static+Artifacts&rft.au=Anwar%2C+Afsah&rft.au=Choi%2C+Jinchun&rft.au=Alabduljabbar%2C+Abdulrahman&rft.au=Alasmary%2C+Hisham&rft.date=2021-03-25&rft_id=info:doi/10.48550%2Farxiv.2103.14217&rft.externalDocID=2103_14217 |