Please note that the following research description is from our preliminary results presented at USENIX WOOT2015. IoTPOT now emulates not only telnet but also other vulnerable services including those of specific devices with distributed proxy sensors in several countries. We have much more malware samples and have observed diverse behavior of IoT malware, such as click fraud and stealing credentials for pay-per-views. For more information, please also check our news articles. Also, if you are interested in our dataset and/or running our proxy sensor, please see here
We analyze the increasing threats against IoT devices. We first analyze Telnet-based scans in darknet, revealing that attacks on Telnet have rocketed since 2014. Moreover, by grabbing Telnet banners and web contents of the attackers, we confirm that the majority of attacks indeed stem from IoT devices.
Motivated by this, we implement IoTPOT, a novel honeypot to emulate Telnet services of various IoT devices to analyze ongoing attacks in depth. IoTPOT consists of a frontend low-interaction responder cooperating with backend high-interaction virtual environments called IoTBOX. IoTBOX operates various virtual environments commonly used by embedded systems for different CPU architectures. During 39 days of operation, we observed 76,605 download attempts of malware binaries from 16,934 visiting IP. We also confirm that none of these binaries could have been captured by existing honeypots that handle Telnet protocol such as honeyd and telnet password honeypot because they are not able to handle different incoming commands sent by the attackers.
We manually downloaded 43 distinct malware samples and found out that they run on 11 different CPU architectures. Among 43 collected samples, 39 samples were new to the database of VirusTotal(as of 2015/05/13) showing a gap of capturing utilities for this type of threat. Out of 4 samples that were in VirusTotal, 2 of them were not detected by any of the 57 A/Vs of VirusTotal (as of 2015/05/13).
In order to analyze these captured malware binaries, we implement IoTBOX, the first malware analysis environment for IoT devices. IoTBOX supports 8 CPU architectures, spanning MIPS, ARM, and PPC. The sandbox analysis of 17 samples by IoTBOX revealed that the samples are used to perform 10 different types of DDoS attacks and port 23 scans.
Finally, combining the observations results of IoTPOT with the sandbox analysis by IoTBOX, we confirm that:
The following datasets are available upon request for interested researchers.
Please note that we recently updated IoTPOT and now it has a proxy
sensor to run on remote environment. If you could run the sensor at your
environment, all attack traffic on the sensor would be redirected and
handled to our honeypot center in Yokohama, Japan. Distributed proxy
sensor on your environment will provide us additional visibility of
attacks on IoT, especially those with locality. In return for runing the
proxy, you will observe the attack traffic and malware samples captured
on your sensor and some of our own sensors.
If you are interested in our dataset and/or setting up our proxy sensor
at your environment, please contact to the following email addresses
with a brief description of your research:
This is a joint work between Yokohama National University, Japan and Saarland University, Germany.
Last Update: 2016/06/27