2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)
An Analysis of Internet of Things (IoT) Malwares
and detection based on Static and Dynamic
Techniques
Shivani Gaba
2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC) | 978-1-6654-5401-8/22/$31.00 ©2022 IEEE | DOI: 10.1109/PDGC56933.2022.10053115
Assistant Professor Assistant Professor
Computer Science and Engineering Computer Science and Engineering
Panipat Institute of Engineering and Panipat Institute of Engineering and
Technology
Panipat, Haryana, India Panipat, Haryana, India
https://orcid.org/0000-0002-7919-0702
Rajender Kumar
Associate Professor
Computer Science and Engineering
Panipat Institute of Engineering and Technology,Panipat,
Haryana, India,
[email protected]
Mullana, Ambala, India
https://orcid.org/0000-0001-7334-729X
Abstract— Because of an absence of a safety plan just as the
particular attributes of IoT gadgets, for example, the
heterogeneity of processor design, IoT malware identification
needs to manage exceptionally novel difficulties, particularly on
recognizing cross-engineering IoT malware. In this manner,
the IoT malware identification area is the focal point of
exploration by the local security area. Many examinations
exploit notable dynamic or static investigation for identifying
IoT malware; nonetheless, static-based techniques are more
viable while tending to the multi-engineering issue. This paper
gives a careful study of static IoT malware discovery. We
initially present IoT malware's definition, advancement, and
security dangers. Then, at that point, we sum up, look at and
investigate existing IoT malware location techniques proposed
lately. At last, we complete precisely the strategies for existing
examinations.
Keywords— Internet of Things (IoT), Malwares
I. INTRODUCTION
Malware attacks were among the most significant threats
in software-based companies and technological areas in the
last decade. So, the researchers came into the picture for
malware detection, and they focused on the ways to mitigate
the malware. Malware is a computer program designed
intentionally to harm or steal the information of other
computers, networks, servers, or clients. Malware can be
considered the different programs used to get spread in the
networks and remain unpredictable and undefined, resulting
in damaging the system's information and networks. Malware
is known by other names like Viruses, Spywares, Bloatware,
Botnets, Rootkits, and Scarewares. Nowadays, where most
transactions, including sensitive information, are running
over the computers and internet, the importance of knowing
information security comes into the picture, and it is the
primary aspect when we are accessing the information from
the internet. The viruses and the malware had been running
from the past when there were personal computers, which are
increasing a lot nowadays. So, the idea of detection analysis
of malware becomes veryimportant.
Malware generators started writing malware in the early
stages of the 1980s. In the 1990s, most malware was created
to prank the users for annoying and analyze how far the
Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
978-1-6654-5401-8/22/$31.00 ©2022 IEEE
Shally Nagpal Alankrita Aggarwal
Associate Professor
Computer Science and Engineering
Panipat Institute of Engineering and
Technology Technology
Panipat, Haryana, India
https://orcid.org/0000-0002-1632-577X https://orcid.org/0000-0002-0931-1118
Suneet Kumar
Associate Professor
Computer Science and Engineering, Maharishi Markandeshwar
(Deemed To Be) University,
https://orcid.org/0000-0003-3876-0075
malware can be spread. But in the year 2000, the internet has
become part of daily matters for communications, business,
and many more things. Similarly, malware creators started
hacking, breaking the professional information leading to
crime.
A. Malware Analysis Techniques
Malware Analysis is one of the most effective ways to
develop the malware detection technique. It is the procedure
for analyzing the reason and functionality of the malware. The
practical goal of malware analysis is to interpret or understand
how malware works and protect the organization's network.
There are three sorts of malware investigation that accomplish
a similar objective of clarifyinghow malware works and their
consequences for the framework; however, the devices, time,
and abilities needed to play out the examination are altogether
different.
• Static Analysis
The analysis of the tainted document without running the
code is known as static analysis. Static analysis is also known
as code analysis. It is the procedure of analyzing the program
by examining it. The reverse engineering performance is
performed utilizing a disassembling tool, decompile tool,
debugger, etc., to analyze malware structure [1]. It very well
may be delivered incapable against obscure or new malware
types or in more sophisticated attack situations. The static
analysis includes fingerprinting, reverse engineering packer
detection, and memory artifacts.
• Dynamic Analysis
The malware executed within the virtual environment is
known as dynamic analysis, and it is also considered behavior-
based analysis [2]. This analysis takes a behavior- based
approach for malware detection and analysis [3] [4].
Malware analysis process is shown in Figure 1.
- Evolution Analysis: The IoT malware samples are described
in two analyses: static analysis and detection analysis. The
evolution analysis is being carried out based on the
extracted results from the dynamic and static analysis. By
comparing different results extracted from various
malware, we can analyze the evolution of other malware.
24
 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)

Figure 1: Malware Analysis Process

- Traffic and Behavior Detection: The results extracted from exchange of information is done via the internet only. As there
the above behaviors, the network traffic data matches with are so many objects connected through the internet of things,
source IP address and destination IP address, source, and they are becoming smarter day by day when it comes to the
destination port number. Afterward, we remove further environment. Most of the time, IoT is malware targeted, and
information based on these results [6]. the reason for the same is it is always on and always connected
to the internet, which leads to the increase in IoT malware, and
B. Architecture Design of IoT Malware Analysis and there is a lack of knowledge of IoT malware as compare to
Detection computer malware and the source code is also available on the
The analysis of IoT Malware can be done in two ways: internet. As the connections between people, objects, and the
static and dynamic analysis. The architecture design is internet are increasing bythe day, this leads to the increment
described into two layers: Behavior Analysis Layer and in the new business model [25].
Behavior Detection Layer. Furthermore, the Behavior Nowadays, IoT devices are flattering an impressive target
Analysis layer is divided into two modules [23][24], i.e., for criminals in the field of cyber which leads to weak
Static Analysis and Dynamic Analysis. authentication, outdated firmware, and malware. With the
In static analysis, the reverse engineering process is increase in time, it is observed that cyber-attacks are rapidly
involved for research, and in dynamic analysis, the malware increasing in IoT devices. Malware infected millions of IoT
is executed within the virtual environment. The behavior devices and online services. So, the security of IoT devices
Detection Layer matches the traffic with the signatures of becomes more critical when it comes to malicious attacks and
behavior [6]. Figure 3 describes the architecture of IoT software. Even it is becoming essential for researchers to find
malware analysis and detection. out how to secure IoT devices [5]. The timeline of IoT
malware is shown in figure 2.
Malware continued to wreak havoc, perhaps even more so
than usual. The silver lining is that we must learn from these
attacks and analyze them to better bolster against these attacks.
Respondents certainly felt the surge in cyberattacks, with 82%
responding that malware/ransomware attacks are becoming
more frequent and 88% seeing malware and ransomware as at
least a moderate threat to their business. There is also concern
that malware attacks will continue to grow, with 75% of
respondents seeing malware and ransomware becoming a
more significant threat to businessesover the next year.
Table 1: WHY MALWARE TARGETS IoT
Properties In Internet of In PC
Things (IoT)
Platform Heterogeneity High Low
Malware Family Low High
Plurality
Detection on the system Hard Easy
In-vivo Detection Very Hard Easy
Sandbox Detection Hard Easy
Figure 2: Internet of Things (IoT) Malware Analysis and Detection
Architecture Removal Hard to Medium
impossible
C. Internet of Things
Vulnerability Very hard Medium
IoT is the internet of things and is always connected to the Assessment
internet. It is the collection of physical objects, devices.
Internet of Things (IoT) technology dispenses the
fundamental architecture for the inter-connected civilization
where everything is connected via the internet, and the

Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
25
 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)
Figure 3: Timeline of IoT Malware [7]
70% of respondents reported that ransomware attacks
began with phishing emails, and 82% considered spear-
phishing emails the dangerous attack vector [19][20].
D. Contributions
In this section, the contributions in the proposed work
have been discussed.
• A novel framework is discussed which secures the IoT
devices from malware.
• The various IoT malware timelines are analyzed and
finally validated by the machine learning approach.
E. Organization
The paper is ordered in the following segments: Section
2 defines the related work, i.e., the work that has been already
done for improvising malware in IoT devices. The
comparative analysis of IoT Malwares from 2008 to till now
is described in Section 3. Section 4 states Statistics of Various
Malwares w.r.t to affected devices. Finally, the paper
finalizes with the conclusion, and which is specified in
Section 5.
II. RELATED WORK
The literature survey of different areas covered in recent
times are covered in this segment. To better understand the
history of the Internet of Things (IoT) malware and their
related botnets, we need to direct ourselves towards the
Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
26
taxonomy that classifies the various features of malware.
The taxonomy can be understood by discussing current
existing taxonomies, and finally leads towards a new
taxonomy that is suitable for our desired problem domain
[21][22]. The taxonomies can be understood by comparing
them with each other by different parameters. Not all
examined taxonomies need to focus specifically on IoT
botnets, but these taxonomies have given us a brief idea for
understanding IoT botnets. Authors [29] focused on the
network structure of botnets as per the convenience to the
attacker. The researchers defined various responses received
from each network, and it is dependable on the following
criteria, i.e., attacker's efficiency, available bandwidth, how
effective the communication is, and robustness of the network
[8][9][10]. The authors also analyzed various types of
networks such as P2P networks, Erdos-Reny networks, Watt-
Strogatz network and most of the times, this network has been
observed in the botnets. Although it varies as per the
efficiency of the network, this taxonomy is also studied in our
work.
III. COMPARATIVE ANALYSIS OF
MALWARES
The subsequent level catches any component saw in just some
malware and botnets. The "engendering and contamination"
measures bunches highlights used to taint casualties, for
example, spam sends, programming weakness double-
dealing, undermined interface sending, adulterated
documents are partaking in P2P organizations or utilization
 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)

of another botnet. The last element compares to the rental
of a botnet to proliferate other malware [26] [31][32].
The previous is additional proficient in its
correspondences; however, it presents a weak link that the
subsequent one doesn't display. They additionally depict the
geography and the correspondence conventions utilized.
These elements can be found in IoT botnets [27]. Such

Table 2: DIFFERENT MALWARE FAMILY SINCE 2008 TO 2020

Year| Year CPU Agents Purpose Source Reference
Code
Name/
Alias
Hydra 2008 Microprocessor without The accessing of routers using brute Open [14]
InterlockedPipelined Stages force method is the main purpose of Source
this for performingDDoS attacks
Psyb0t/ 2009 Microprocessor without Psyb0t is much similar to Hydra2008 but Reverse [13]
Network Interlocked it is able to perform UDP and ICMP Engineering
BluePill Pipelined Stages Flood attacks

Chuck 2010 Microprocessor without It targets the same MIPS architecture Reverse [15]
Norris Interlocked and comes out with UDP, ACK flood Engineering
Pipelined Stages attacks

Carna 2012 MIPS, ARM It is a botnet of 420,000 gadgetsmade by Open [16]

Botnet an unknown programmer for estimating Source
the level of the Internet.

Linux 2013 ARM,MIPS and It is named as IoT worm which spreads via Open [18]
Darlloz/ PowerPC exploitation of an old vulnerability for Source
Zollard accessing a organism and advantage increase
by evade and ordinary credentialsrecord.

Spike / 2014 Advanced RISC Machines, This malware follows agent handler Reverse [20]
Dafloo / Microprocessor without architecture and it is 2014year. It initiates Engineering
MrBlack Interlocked Pipelined to target Windows; Linux based PCs as
/ Wrkatk Stages, well as IoT devices.
/ Sotdas /
AES.DDoS
Mirai 2016 MIPS, MIPSEL, It is mainly leading DDoS IoT botnet in Open [24]
ARM,PPC, SuperH latest time. It is certainlythe next step in IoT Source
DDoS botnet malwares.
Amnesia 2017 MIPS It concatenates the apropos. Amnesia Open [11]
suffix to lock the files and foliage a Source
plaintext revival order called HOW TO
RECOVER ENCRYPTED FILES.txt.
Hide ‘N 2018 P2P The botnets uses numerous identified [29]
Seek vulnerabilities to contaminate fresh IoT
devices and utilize a home-brew Peer to
Peer protocol to assist communiqué
transversely the botnet.
Silex 2019 ARM This malware came in the year of Open [28]
2019 and which is operated for aday only. Source

Rhombus 2020 MIPS, ARM This came in the mid of feb 2020and this Open source [27]
malware was designed for various
architectures and it basically drops a
second stage payload.

malware that performs DDoS assaults. As a result, a few

more robust. Provisions remembered for this taxon
incorporate update frameworks, obscurity systems, and
so forth [29][30]. This scientific classification is distinct
as for the requirements of botnets. The scientific type
depends on practical information and can be handily
broadened. This scientific classification likewise utilizes
two progressive levels, 42 taxa, and incorporates the vast
majority of the botnets saw somewhere in the range of
1999 and 2009. The scientific categorization centers
around IoT botnets whose reason for existence is to make
massive scope for DDoS assaults [17]. This scientific
classification utilizes four distinct levels.
In contrast to the past scientific categorizations, the
highlevel doesn't rely upon the existing pattern of a botnet
yet instead depicts groups of elements. It additionally
incorporates highlights that depict the engineering of the
botnet, just as others that portray the technique used to
lookfor possible casualties [12].
The scientific
Authorized licensed categorization is solely
use limited to: Universiti Malaysiacentered
Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
practices every day in IoT botnets, like spying or earnings
age, are not depicted. In this scientific classification, two
bots are connected off chance that they share part of their
code [28][33]. The creators, in this way, performed
preliminary work in showing the connections.
As there are so many malwares occurred in recent
times. So the various malwares since 2008 to 2020
occurred are explained in Table 1.
IV. STATISTICS OF VARIOUS MALWARES W.R.T
TOAFFECTED DEVICES
The statistics of number of malwares occurred in different
years are tabularized in table 3. Though there were lots of
malware occurred from 2008 to 2020 as shown in figure 3.
But we have analyzed few malwares and that is shown in
table 3.
on
27
 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)

TABLE 3: STATICTICS OF DIFFERENT MALWARES SINCE 2009

Year|Name Predicted Approximate REFERENCES
/ Alias Timespan Max affected [1] Van Hung, P.: An approach to fast malware classification with machine
devices learning technique, techniques (Doctoral Dissertation) Keio University,
5322 (2011).
A1 2009 100000 [2] Elhadi, A. A., Maarof, M. A., Osman, A. H.: Malware detection based on
A2 2010 330000 hybrid signature behaviour application programming interface call graph.
American Journal of Applied Sciences, 9(3), pp:283-288 (2012).
A3 2012 42000 [3] Mathur, K., Hiranwal, S.: A survey on techniques in detection and
A4 2013 31000 analyzing malware executables. International Journal of Advanced
A5 2014 1000000 Research in Computer Science and Software Engineering, 3(4), 422-428
(2013).
A6 2014 1000 [4] Ravula, R. R.: Classification of malware using reverse engineering and data
A7 2014 300000 mining techniques (Doctoral dissertation, University of Akron) (2011).
A8 2016 500000 [5] Ngo, Q. D., Nguyen, H. T., Le, V. H., Nguyen, D. H.: A survey of IoT
malware and detection methods based on static features. ICT Express, 6(4),
A9 2016 145607 280-286 (2020).
A10 2016 300000 [6] Liu, Z., Zhang, L., Ni, Q., Chen, J., Wang, R., Li, Y., He, Y.: An integrated
A11 2017 10000000 architecture for IoT malware analysis and detection. In International
Conference on Internet of Things as a Service, B. Li et al. (Eds.): IoTaaS
A12 2017 120000 2018, LNICST 271, pp. 127-137. Springer, Cham (2018).
A13 2017 10000 [7] https://www.stratosphereips.org/blog/2020/4/26/timeline-of-iot-malware-
version-1.
A14 2018 100
[8] https://www.helpnetsecurity.com/2016/11/02/linuxirctelnet-iot-ddos-
A15 2018 1000000 botnet/.
A16 2019 4000 [9] https://www.cyber.nj.gov/threat-center/threat-profiles/trojan-
variants/luabot.
[10] https://www.tripwire.com/state-of-security/security-data-
Note:A1=Psyb0t/NetworkBluePill;A2=ChuckNorris;A3=Carna protection/cyber-security/may-2017-the-month-in-ransomware/.
Botnet;A4=LinuxDarlloz Zollard; A5=Gafgyt / BASHLITE / [11] https://www.securityweek.com/linux-malware-targets-raspberry-pi-
Lizkebab / Torlus / Qbot / LizardStresser|; A6=TheMoon; cryptocurrency-mining.
A7=Linux.Wifatch/Ifwatch/REINCARNA;A8=VPNfilter;A9= [12] Psyb0t (2013) In Wikipedia. Source: http://en.wikipedia.org/wiki/Psyb0.
Mirai;A10=Hajime;A11=BrickerBot [13] Janus, M.: Heads of the hydra. Malware for network devices. Securelist,
August (2011).
;A12=Persira;A13=LinuxProxyM ;A14=Slingshot; [14] McMillan, R.: Chuck Norris botnet karate-chops routers hard. PC World
A15=Reaper; A16-Silex. (2010).
[15] Anonymous, Internet Census 2012: Port scanning /0 using insecure
embedded devices, 2012, Source:
V.CONCLUSION
http://internetcensus2012.bitbucket.org/paper.html
Identifying IoT malware is turning into an undeniably critical [16] Federico Fazzi, LightAidra Source Code on GitHub, Source:
issue in guaranteeing the security of the Internet framework and https://github.com/eurialo/lightaidra (2012).
private information. This paper gave a thorough audit of arisen [17] K. Hayashi, "Linux.Darlloz", 2013, Source:
IoT malware. We examined the fundamental procedures just as http://www.symantec.com/security_response/writeup.jsp?docid=2013-
112710-1612-99&tabid=2.
qualities and various statistics of IoT malware with the period
[18] Spring, T., Carpenter, K., & Mimoso, M.: Bashlite family of malware
and have presented them in terms of graphical representation infects 1 million iot devices. Threat Post (2016).
and concluded that IoT malware is increasing day by day. We [19] Akamai, "Spike DDoS Toolkit", 2014, Source:
have introduced a comparative analysis of the same also. To http://www.prolexic.com/kcresources/prolexic-threat-advisories/prolexic-
think about the exhibition of these examinations, we likewise threatadvisory-spike-ddos-toolkit-botnet/spike-ddos-toolkit-
assessed them on the IoT Malware. Because of the component, cybersecurity-US-092414.pdf.
[20] Ullrich, J. B.: Linksys Worm (“TheMoon”) Captured (2014).
location examination, and handling time. As a further [21] Ballano, M.: Is there an Internet-of-Things vigilante out there?. Symantec
expansion of this work, we intend to plan a lightweight Blog(2015).
identification strategy that will assist with managing [22] https://blog.talosintelligence.com/2018/05/VPNFilter.html
recognized malicious executable records in IoT gadgets. [23] Anna-senpai, Mirai Source Code on GitHub, September 2016, Source:
https://github.com/jgamblin/Mirai-Source-Code
[24] Paganini, P.: The Linux Remaiten malware is building a Botnet of IoT
devices (2016).
[25] Shobana, M., & Rathi, S.: Iot malware: An analysis of iot device hijacking.
International Journal of Scientific Research in Computer Science,
Computer Engineering, and Information Technology, 3(5), 2456- 3307
(2018).
[26] https://blog.apnic.net/2020/05/22/rhombus-a-new-iot-malware/
[27] https://www.trendmicro.com/vinfo/fr/security/news/cybercrime-and-
digital-threats/-silex-malware-bricks-iot-devices-with-weak-passwords
[28] https://blog.avast.com/hide-n-seek-botnet-continues

Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
28
 2022 Seventh International Conference on Parallel, Distributed and Grid Computing (PDGC)

[29] De Donno, M., Dragoni, N., Giaretta, A., & Spognardi, A.: DDoS-capable
IoT malwares: Comparative analysis and Mirai investigation. Security and
Communication Networks (2018).
[30] Gaba, S., Budhiraja, I., Kumar, V., Garg, S., Kaddoum, G., & Hassan, M.
M. (2022). A federated calibration scheme for convolutional neural
networks: Models, applications and challenges. Computer
Communications.
[31] S. Gaba, I. Budhiraja, A. Makkar and D. Garg, "Machine Learning for
Detecting Security Attacks on Blockchain using Software Defined
Networking," 2022 IEEE International Conference on Communications
Workshops (ICC Workshops), 2022, pp. 260-264, doi:
10.1109/ICCWorkshops53468.2022.9814656.
[32] Aggarwal, Alankrita, Kanwalvir Singh Dhindsa, and P. K. Suri.
"Usage patterns and implementation of random forest methods for
software risk and bugs predictions." Int. J. Innov. Technol. Explor.
Eng.(IJITEE) 8 (2019): 927-932.
[33] Aggarwal, Alankrita, Kanwalvir Singh Dhindsa, and P. K. Suri. "A
pragmatic assessment of approaches and paradigms in software risk
management frameworks." International Journal of Natural Computing
Research (IJNCR) 9, no. 1 (2020): 13-26.

Authorized licensed use limited to: Universiti Malaysia Perlis. Downloaded on December 19,2024 at 17:35:52 UTC from IEEE Xplore. Restrictions apply.
29