Understanding and Detecting Remote Infection on Linux-based IoT Devices

The rocketed population, poor security, and 24/7 online properties make Linux-based Internet of Things (IoT) devices ideal targets for attackers. However, due to the budget constraints and an enormous number of vulnerabilities on such devices, protecting them against attacks is very challenging. Therefore, understanding and detecting IoT malware remote infection, which is before the compromised IoT devices are monetized by adversaries, is crucial to mitigate damages and financial loss caused by IoT malware. In this paper, we conduct an empirical study on a large-scale dataset covering 403,464 samples collected from VirusShare and a large group of IoT honeypots to gain a deep insight into the characteristics of IoT malware remote infection. We share detailed statistics of shell commands found in our dataset, highlight malicious behaviors performed through those commands, investigate current states of fingerprinting methods of those commands, and offer a taxonomy of shell commands by introducing the notion of infection capability. To demonstrate the usefulness of the knowledge gained from our study, we develop an approach to detect on-going remote infection activities based on infection capabilities. Our evaluation shows that our detection approach can achieve a 99.22% detection rate for remote infections in the wild and introduce small performance overhead.