RIoTMAN: a systematic analysis of IoT malware behavior

RIoTMAN: a systematic analysis of IoT malware behavior

연구 분야: Analysis

학회: CoNEXT '20: Proceedings of the 16th International Conference on emerging Networking EXperiments and Technologies

How can we conduct dynamic analysis on IoT malware efficiently? A key challenge is that such malware target a plethora of different devices, which makes identifying the target device non-trivial. This problem does not appear nearly as much in PC and smartphones malware, where the devices are more uniform. The contribution of our work is two fold: (a) we develop RIoTMAN, a comprehensive emulation and dynamic analysis approach, and (b) we study the network behavior of 3024 IoT malware systematically. The power of our approach lies in two key novelties: (a) Iterative Adaptation, and (b) Automated Engagement. First, we employ an intelligent iterative process that incrementally "builds" the configuration of the target device. Second, our platform automates the interaction with the malware even during the C&C server communication phase. In our experiments, we first show that we achieve an activation rate of 93% for our binaries, including 173 binaries, which Virustotal fails to identify as malicious. Second, we impersonate the C&C server for 79% of the malware binaries successfully: we make the malware initiate DDoS attacks, or enter its proliferation phase. Finally, we observe several interesting malware techniques, including unusual communication behaviors. Our goal is to release our platform as an open-source tool to accelerate the efforts for understanding IoT malware in depth and at scale.