Go to OpenReview Archive homepageCharacterizing Linux-based Malware: Findings and Recent Trends
Abstract: Malware targeting interconnected infrastructures has surged in recent years. A major factor driving
this phenomenon is the proliferation of large networks of poorly secured IoT devices. This is exacerbated by the commoditization of the malware development industry, in which tools can be readily
obtained in specialized hacking forums or underground markets. However, despite the great interest
in targeting this infrastructure, there is little understanding of what the main features of this type of
malware are, or the motives of the criminals behind it, apart from the classic denial of service attacks.
This is vital to modern malware forensics, where analyses are required to measure the trustworthiness
of files collected at large during an investigation, but also to confront challenges posed by tech-savvy
criminals (e.g., Trojan Horse Defense).
In this paper, we present a comprehensive characterization of Linux-based malware. Our study is
tailored to IoT malware and it leverages automated techniques using both static and dynamic analysis
to classify malware into related threats. By looking at the most representative dataset of Linux-based
malware collected by the community to date, we are able to show that our system can accurately
characterize known threats. As a key novelty, we use our system to investigate a number of threats
unknown to the community. We do this in two steps. First, we identify known patterns within an
unlabeled dataset using a classifier trained with the labeled dataset. Second, we combine our features
with a custom distance function to discover new threats by clustering together similar samples. We
further study each of the unknown clusters by using state-of-the-art reverse engineering and forensic
techniques and our expertise as malware analysts. We provide an in-depth analysis of what the most
recent unknown trends are through a number of case studies. Among other findings, we observe that:
i) crypto-mining malware is permeating the IoT infrastructure, ii) the level of sophistication is increasing, and iii) there is a rapid proliferation of new variants with minimal investment in infrastructure
0 Replies
Loading