UC Riverside

Internet of Things(IoT) malware established itself as the new type of threat after enabling the most intense DDoS attacks to date using Mirai botnet. All indications suggest that the problem will become more acute. First, there is widely-available source code of IoT malware such as Mirai and BASHLITE making it easy for BlackHat hackers to create their own botnet. Second, such malware employ capabilities to target particular group of IoT devices and perform different malicious operations such as harvesting network traffic in routers. Third, there is evidence of IoT malware getting better: new families appear and ex- isting families evolve and adopt sophisticated techniques, including proliferation techniques, and types of C&C discovery mechanisms.

In the first Chapter we tackle the problem of malware attacking home routers. Router-specific malware has emerged as a new vector for hackers, but has received relatively little attention compared to malware on other devices. We propose, RARE (Riverside’s Augmented Router Emulator), a systematic approach to analyze router malware and profile its behavior focusing on home-office routers. The key novelty is the intelligent augmented operation of our emulation that manages to fool malware binaries to activate irrespective of their target platform. RARE has the ability to: (a) instantiate an emulated router with or without malware, (b) replay arbitrary network traffic, (c) monitor and interact with the malware in a semi-automated way.

In the second Chapter we develop RIoTMAN (Riverside IoT Malware Analysis), a comprehensive emulation and dynamic analysis platform for IoT malware. RIoTMAN can activate the malware and communicate with it to explore its spectrum of behaviors. The power of our platform lies on two key novelties: (a) Iterative Adaptation, and (b) Automated Interaction.

In the third Chapter we perform longitudinal study on all IoT malware to analyze their behavior on the host and networking level. In this study we break down the malware techniques and tactics inspired by MITRE ATT&CK framework. We profile the techniques that the IoT malware employs to communicate with the botnet, recruiting devices, and the protocol used to communicate with the C&C server. Moreover, by impersonating their server, we issue control commands for the malware to enter its proliferation phase or start a DoS attack. One of the outcome of our study is the TBs of attack traffic from real IoT malware which can be further used in related studies.

Lastly, we develop techniques to explore IoT malware behavior under different analysis environment configuration. First, we identify the methods that IoT malware uses to identify the target environment. Second we perform dynamic executions under different target platform using RIoTMAN (Chapter 2) and profile changes in the malware behavior. We identify malware that exhibit 2 to 8 distinct behavior depending on the target environment.