A Near Real-Time Scheme for Collecting and Analyzing IoT Malware Artifacts at Scale.

The chronic proliferation of Internet of Things (IoT) botnet malware activities coupled with an unprecedented rise in security vulnerabilities convene a new world of opportunities for perpetrators and unveil a new set of hurdles in deriving relevant IoT malware intelligence. Such shortfall within the IoT paradigm exacerbates the capabilities for largely identifying the prevailing IoT malware threats, the origin of the IoT attacks, as well as, the security deficit associated with the IoT paradigm. Previous work has vastly studied IoT malware activities in the wild but has not profiled at a large scale malicious activities to collect in near real-time central IoT artifacts much-needed to understand and eventually elevate the security posture of the IoT ecosystem. To this end, we propose in this work a near real-time collection scheme to collect and analyze at large IoT malware artifacts essential for understanding the prevalent cyber security risks. We leverage in this work a large network telescope comprising of 16.7 million IPs as one extensive honeypot to examine evidence of malicious IoT probes in the wild. Subsequently, we employ a deception technique to respond to these probes and eventually establish bogus connections to collect IoT malware artifacts. In only 120 hours of near real-time measurements, our proposed scheme collected 80,569,070 interactions originating from 30,190 malware-infected IoT devices. Accordingly, we derive pivotal IoT malware intelligence which includes system commands, file-less attacks evidence, payload URLs, Executable and Linkable Format (ELF) binaries, log-in credentials, malicious LDAP servers, and unique insights on the abuse of the recent Log4shell security vulnerability in distributing IoT malware binaries.