A Strings-Based Similarity Analysis Approach for Characterizing IoT Malware and Inferring Their Underlying Relationships
Sadegh Torabi, Mirabelle Dib, Elias Bou‐Harb, Chadi Assi, Mourad Debbabi
Abstract
Mitigating threats associated with the rise of Internet-of-Things (IoT) malware requires creating a better understanding about the characteristics and inter-relations of IoT malware. In this letter, we perform a large-scale characterization of IoT malware. The analysis of 70,000 recently detected malware executables indicate that they belong to a few known families. Additionally, we highlight the lack of sophisticated IoT malware binary obfuscation. Thus, enabling reverse-engineering and static malware analysis, while performing a multi-level strings-based analysis to uncover groups of correlated IoT malware with common characteristics/features (e.g., adversarial IP addresses and malware-specific strings). Moreover, while our findings indicate malicious implementation reuse, we illustrate the rapid IoT malware evolution by identifying covid-related malware samples. Finally, this work provides a basis for developing AI-based malware detection/mitigation models, which benefit from the simplicity and reliability of the extracted strings-based characteristics/features for effective IoT malware classification and family attribution.