Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries

Arwa Abdulkarim Al Alsadi; Kaichi Sameshima; Katsunari Yoshioka; Michel van Eeten; Carlos H. Gañán

doi:10.1145/3607199.3607241

Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries

Arwa Abdulkarim Al Alsadi, Kaichi Sameshima, Katsunari Yoshioka, Michel van Eeten, Carlos H. Gañán

Organisation & Governance

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

45 Downloads (Pure)

Abstract

For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.

Original language	English
Title of host publication	Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Publisher	Association for Computing Machinery (ACM)
Pages	513-526
Number of pages	14
ISBN (Electronic)	9798400707650
DOIs	https://doi.org/10.1145/3607199.3607241
Publication status	Published - 2023
Event	26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 - Hong Kong, China Duration: 16 Oct 2023 → 18 Oct 2023

Publication series

Name	ACM International Conference Proceeding Series

Conference

Conference	26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023
Country/Territory	China
City	Hong Kong
Period	16/10/23 → 18/10/23

Keywords

Dynamic Analysis
Exploits
Exposure
IoT malware
Vulnerabilities

UN SDGs

This output contributes to the following UN Sustainable Development Goals (SDGs)

Access to Document

10.1145/3607199.3607241

3607199.3607241Final published version, 677 KBLicence: CC BY

Cite this

Al Alsadi, A. A., Sameshima, K., Yoshioka, K., van Eeten, M., & Gañán, C. H. (2023). Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 (pp. 513-526). (ACM International Conference Proceeding Series). Association for Computing Machinery (ACM). https://doi.org/10.1145/3607199.3607241

Al Alsadi, Arwa Abdulkarim ; Sameshima, Kaichi ; Yoshioka, Katsunari et al. / Bin there, target that : Analyzing the target selection of IoT vulnerabilities in malware binaries. Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023. Association for Computing Machinery (ACM), 2023. pp. 513-526 (ACM International Conference Proceeding Series).

@inproceedings{60cc5ad3b8c24cbf8d374501ba9baefa,

title = "Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries",

abstract = "For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.",

keywords = "Dynamic Analysis, Exploits, Exposure, IoT malware, Vulnerabilities",

author = "{Al Alsadi}, {Arwa Abdulkarim} and Kaichi Sameshima and Katsunari Yoshioka and {van Eeten}, Michel and Ga{\~n}{\'a}n, {Carlos H.}",

year = "2023",

doi = "10.1145/3607199.3607241",

language = "English",

series = "ACM International Conference Proceeding Series",

publisher = "Association for Computing Machinery (ACM)",

pages = "513--526",

booktitle = "Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023",

address = "United States",

note = "26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023 ; Conference date: 16-10-2023 Through 18-10-2023",

}

Al Alsadi, AA, Sameshima, K, Yoshioka, K, van Eeten, M & Gañán, CH 2023, Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries. in Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023. ACM International Conference Proceeding Series, Association for Computing Machinery (ACM), pp. 513-526, 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023, Hong Kong, China, 16/10/23. https://doi.org/10.1145/3607199.3607241

Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries. / Al Alsadi, Arwa Abdulkarim; Sameshima, Kaichi; Yoshioka, Katsunari et al.
Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023. Association for Computing Machinery (ACM), 2023. p. 513-526 (ACM International Conference Proceeding Series).

Research output: Chapter in Book/Conference proceedings/Edited volume › Conference contribution › Scientific › peer-review

TY - GEN

T1 - Bin there, target that

T2 - 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023

AU - Al Alsadi, Arwa Abdulkarim

AU - Sameshima, Kaichi

AU - Yoshioka, Katsunari

AU - van Eeten, Michel

AU - Gañán, Carlos H.

PY - 2023

Y1 - 2023

N2 - For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.

AB - For years, attackers have exploited vulnerabilities in Internet of Things (IoT) devices. Previous research has examined target selection in cybercrime, but there has been little investigation into the factors that influence target selection in attacks on IoT. This study aims to better understand how attackers choose their targets by analyzing the frequency of specific exploits in 11,893 IoT malware binaries that were distributed between 2018-2021. Our findings indicate that 78% of these binary files did not specifically target IoT vulnerabilities but rather scanned the Internet for devices with weak authentication. To understand the usage of exploits in the remaining 2,629 binaries, we develop a theoretical model from relevant literature to examine the impact of four latent variables, i.e. exposure, vulnerability, exploitability, and patchability. We collect indicators to measure these variables and find that they can explain to a significant extent (?2=0.38) why some vulnerabilities are more frequently exploited than others. The severity of vulnerabilities does not significantly increase the frequency with which they are targeted, while the presence of Proof-of-Concept exploit code does increase it. We also observe that the availability of a patch reduces the frequency of being targeted, yet that more complex patches are associated with higher frequency. In terms of exposure, more widespread device models are more likely to be targeted by exploits. We end with recommendations to disincentivize attackers from targeting vulnerabilities.

KW - Dynamic Analysis

KW - Exploits

KW - Exposure

KW - IoT malware

KW - Vulnerabilities

UR - http://www.scopus.com/inward/record.url?scp=85175730246&partnerID=8YFLogxK

U2 - 10.1145/3607199.3607241

DO - 10.1145/3607199.3607241

M3 - Conference contribution

AN - SCOPUS:85175730246

T3 - ACM International Conference Proceeding Series

SP - 513

EP - 526

BT - Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023

PB - Association for Computing Machinery (ACM)

Y2 - 16 October 2023 through 18 October 2023

ER -

Al Alsadi AA, Sameshima K, Yoshioka K, van Eeten M , Gañán CH. Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries. In Proceedings of the 26th International Symposium on Research in Attacks, Intrusions and Defenses, RAID 2023. Association for Computing Machinery (ACM). 2023. p. 513-526. (ACM International Conference Proceeding Series). doi: 10.1145/3607199.3607241

Bin there, target that: Analyzing the target selection of IoT vulnerabilities in malware binaries

Abstract

Publication series

Conference

Keywords

UN SDGs

Access to Document

Other files and links

Fingerprint

Cite this