Skip to main content
SpringerLink
Log in

RARE: A Systematic Augmented Router Emulation for Malware Analysis

  • Conference paper
  • First Online:
Passive and Active Measurement (PAM 2018)

Part of the book series: Lecture Notes in Computer Science ((LNCCN,volume 10771))

Included in the following conference series:

Abstract

How can we analyze and profile the behavior of a router malware? This is the motivating question behind our work focusing on router. Router-specific malware has emerged as a new vector for hackers, but has received relatively little attention compared to malware on other devices. A key challenge in analyzing router malware is getting it to activate, which is hampered by the diversity of firmware of various vendors and a plethora of different platforms. We propose, RARE, a systematic approach to analyze router malware and profile its behavior focusing on home-office routers. The key novelty is the intelligent augmented operation of our emulation that manages to fool malware binaries to activate irrespective of their target platform. This is achieved by leveraging two key capabilities: (a) a static level analysis that informs the dynamic execution, and (b) an iterative feedback loop across a series of dynamic executions, whose output informs the subsequent executions. From a practical point of view, RARE has the ability to: (a) instantiate an emulated router with or without malware, (b) replay arbitrary network traffic, (c) monitor and interact with the malware in a semi-automated way. We evaluate our approach using 221 router-specific malware binaries. First, we show that our method works: we get 94% of the binaries to activate, including obfuscated ones, which is a nine-fold increase compared to the 10% success ratio of the baseline method. Second, we show that our method can extract useful information towards understanding and profiling the botnet behavior: (a) we identify 203 unique IP addresses of C&C servers, and (b) we observe an initial spike and an overall 50% increase in the number of system calls on infected routers.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

References

  1. Openwrt embedded devices linux. https://openwrt.org/. Accessed 22 Sep 2017

  2. Antonakakis, M., et al.: Understanding the Mirai botnet. In: 26th USENIX Security Symposium (USENIX Security 2017) (2017)

    Google Scholar 

  3. Appneta: Tcpreplay (2016). http://tcpreplay.appneta.com/

  4. Bayer, U., et al.: Dynamic analysis of malicious code. J. Comput. Virol. 2(1), 67–77 (2006)

    Article  Google Scholar 

  5. Bellard, F.: QEMU, a fast and portable dynamic translator. In: USENIX, FREENIX Track (2005)

    Google Scholar 

  6. Chen, D.D., Woo, M., Brumley, D., Egele, M.: Towards automated dynamic analysis for linux-based embedded firmware. In: NDSS (2016)

    Google Scholar 

  7. Cho, K., Mitsuya, K., Kato, A.: Traffic data repository maintained by the MAWI working group of the wide project (2005). http://mawi.wide.ad.jp/mawi

  8. Cho, K., et al.: Traffic data repository at the wide project. In: USENIX, ATEC (2000)

    Google Scholar 

  9. Christodorescu, M., Jha, S.: Static analysis of executables to detect malicious patterns. Technical report, Wisconsin Univ-Madison Department of Computer Sciences (2006)

    Google Scholar 

  10. Costin, A., et al.: Automated dynamic firmware analysis at scale: a case study on embedded web interfaces. In: Asia CCS (2016)

    Google Scholar 

  11. Costin, A., Zaddach, J., Francillon, A., Balzarotti, D., Antipolis, S.: A large-scale analysis of the security of embedded firmwares. In: USENIX Security (2014)

    Google Scholar 

  12. Dolan-Gavitt, B., et al.: Tappan zee (north) bridge: mining memory accesses for introspection. In: ACM SIGSAC CCS. ACM (2013)

    Google Scholar 

  13. Enck, W., et al.: Taintdroid: an information-flow tracking system for realtime privacy monitoring on smartphones. ACM TOCS 32, 5 (2014)

    Article  Google Scholar 

  14. Feng, Q., et al.: Scalable graph-based bug search for firmware images. In: ACM SIGSAC CCS (2016)

    Google Scholar 

  15. Gasparis, I., Qian, Z., Song, C., Krishnamurthy, S.V.: Detecting android root exploits by learning from root providers. In: USENIX Security (2017)

    Google Scholar 

  16. Hampton, N., et al.: A survey and method for analysing soho router firmware currency. In: Australian Information Security Management Conference (2015)

    Google Scholar 

  17. Henderson, A., et al.: Make it work, make it right, make it fast: building a platform-neutral whole-system dynamic binary analysis platform. In: ACM STA (2014)

    Google Scholar 

  18. Hex-Rays: IDA pro disassembler (2008)

    Google Scholar 

  19. Kinable, J., Kostakis, O.: Malware classification based on call graph clustering. J. Comput. Virol. 7, 233–245 (2011)

    Article  Google Scholar 

  20. Kolbitsch, C., et al.: Effective and efficient malware detection at the end host. In: USENIX Security Symposium (2009)

    Google Scholar 

  21. Kolbitsch, C., Holz, T., Kruegel, C., Kirda, E.: Inspector gadget: automated extraction of proprietary gadgets from malware binaries. In: IEEE S&P (2010)

    Google Scholar 

  22. Lanzi, A., et al.: Accessminer: using system-centric models for malware protection. In: ACM CCS (2010)

    Google Scholar 

  23. Moser, A., et al.: Limits of static analysis for malware detection. In: IEEE ACSAC (2007)

    Google Scholar 

  24. Papp, D., et al.: Embedded systems security: threats, vulnerabilities, and attack taxonomy. In: IEEE PST (2015)

    Google Scholar 

  25. Paquet-Clouston, M., et al.: Can we trust social media data?: Social network manipulation by an IoT botnet. In: ACM Conference on Social Media & Society (2017)

    Google Scholar 

  26. Song, D., Brumley, D., Yin, H., Caballero, J., Jager, I., Kang, M.G., Liang, Z., Newsome, J., Poosankam, P., Saxena, P.: BitBlaze: a new approach to computer security via binary analysis. In: Sekar, R., Pujari, A.K. (eds.) ICISS 2008. LNCS, vol. 5352, pp. 1–25. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-89862-7_1

    Chapter  Google Scholar 

  27. Tam, K., et al.: Copperdroid: automatic reconstruction of android malware behaviors. In: NDSS (2015)

    Google Scholar 

  28. Zaddach, J., Bruno, L., Francillon, A., Balzarotti, D.: Avatar: a framework to support dynamic security analysis of embedded systems’ firmwares. In: NDSS (2014)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. University of California, Riverside, CA, USA

    Ahmad Darki, Chun-Yu Chuang, Michalis Faloutsos, Zhiyun Qian & Heng Yin

Authors
  1. Ahmad Darki
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Chun-Yu Chuang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Michalis Faloutsos
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Zhiyun Qian
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Heng Yin
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Ahmad Darki , Chun-Yu Chuang , Michalis Faloutsos , Zhiyun Qian or Heng Yin .

Editor information

Editors and Affiliations

  1. Naval Postgraduate School, Monterey, California, USA

    Robert Beverly

  2. Technical University of Berlin, Berlin, Germany

    Georgios Smaragdakis

  3. Max Planck Institute for Informatics, Saarbrücken, Germany

    Anja Feldmann

Rights and permissions

Reprints and permissions

Copyright information

© 2018 Springer International Publishing AG, part of Springer Nature

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Darki, A., Chuang, CY., Faloutsos, M., Qian, Z., Yin, H. (2018). RARE: A Systematic Augmented Router Emulation for Malware Analysis. In: Beverly, R., Smaragdakis, G., Feldmann, A. (eds) Passive and Active Measurement. PAM 2018. Lecture Notes in Computer Science(), vol 10771. Springer, Cham. https://doi.org/10.1007/978-3-319-76481-8_5

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-76481-8_5

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-76480-1

  • Online ISBN: 978-3-319-76481-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation