Abstract
How can we analyze and profile the behavior of a router malware? This is the motivating question behind our work focusing on router. Router-specific malware has emerged as a new vector for hackers, but has received relatively little attention compared to malware on other devices. A key challenge in analyzing router malware is getting it to activate, which is hampered by the diversity of firmware of various vendors and a plethora of different platforms. We propose, RARE, a systematic approach to analyze router malware and profile its behavior focusing on home-office routers. The key novelty is the intelligent augmented operation of our emulation that manages to fool malware binaries to activate irrespective of their target platform. This is achieved by leveraging two key capabilities: (a) a static level analysis that informs the dynamic execution, and (b) an iterative feedback loop across a series of dynamic executions, whose output informs the subsequent executions. From a practical point of view, RARE has the ability to: (a) instantiate an emulated router with or without malware, (b) replay arbitrary network traffic, (c) monitor and interact with the malware in a semi-automated way. We evaluate our approach using 221 router-specific malware binaries. First, we show that our method works: we get 94% of the binaries to activate, including obfuscated ones, which is a nine-fold increase compared to the 10% success ratio of the baseline method. Second, we show that our method can extract useful information towards understanding and profiling the botnet behavior: (a) we identify 203 unique IP addresses of C&C servers, and (b) we observe an initial spike and an overall 50% increase in the number of system calls on infected routers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Openwrt embedded devices linux. https://openwrt.org/. Accessed 22 Sep 2017
Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017) (2017)
Appneta: Tcpreplay (2016). http://tcpreplay.appneta.com/
Bayer, U., et al.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)
Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX, FREENIX Track (2005)
Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for linux-based embedded firmware. In: NDSS (2016)
Cho, K., Mitsuya, K., Kato, A.: Traffic data repository maintained by the MAWI working group of the wide project (2005). http://mawi.wide.ad.jp/mawi
Cho, K., et al.: Traffic data repository at the wide project. In: USENIX, ATEC (2000)
Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Department of Computer Sciences (2006)
Costin, A., et al.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: Asia CCS (2016)
Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., Antipolis, S.: A large-scale analysis of the security of embedded firmwares. In: USENIX Security (2014)
Dolan-Gavitt, B., et al.: Tappan zee (north) bridge: mining memory accesses for introspection. In: ACM SIGSAC CCS. ACM (2013)
Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS 32, 5 (2014)
Feng, Q., et al.: Scalable graph-based bug search for firmware images. In: ACM SIGSAC CCS (2016)
Gasparis, I., Qian, Z., Song, C., Krishnamurthy, S.V.: Detecting android root exploits by learning from root providers. In: USENIX Security (2017)
Hampton, N., et al.: A survey and method for analysing soho router firmware currency. In: Australian Information Security Management Conference (2015)
Henderson, A., et al.: Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: ACM STA (2014)
Hex-Rays: IDA pro disassembler (2008)
Kinable, J., Kostakis, O.: Malware classification based on call graph clustering. J. Comput. Virol. 7, 233–245 (2011)
Kolbitsch, C., et al.: Effective and efficient malware detection at the end host. In: USENIX Security Symposium (2009)
Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: automated extraction of proprietary gadgets from malware binaries. In: IEEE S&P (2010)
Lanzi, A., et al.: Accessminer: using system-centric models for malware protection. In: ACM CCS (2010)
Moser, A., et al.: Limits of static analysis for malware detection. In: IEEE ACSAC (2007)
Papp, D., et al.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: IEEE PST (2015)
Paquet-Clouston, M., et al.: Can we trust social media data?: Social network manipulation by an IoT botnet. In: ACM Conference on Social Media & Society (2017)
Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1
Tam, K., et al.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)
Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS (2014)
Author information
Authors and Affiliations
Corresponding authors
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2018 Springer International Publishing AG, part of Springer Nature
About this paper
Cite this paper
Darki, A., Chuang, CY., Faloutsos, M., Qian, Z., Yin, H. (2018). RARE: A Systematic Augmented Router Emulation for Malware Analysis. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_5
Download citation
DOI: https://doi.org/10.1007/978-3-319-76481-8_5
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-76480-1
Online ISBN: 978-3-319-76481-8
eBook Packages: Computer ScienceComputer Science (R0)