What is BadThings?

BadThings.info is a dedicated resource for studying Linux-based IoT malware. Our work analyzed 166K Linux-based IoT malware samples and documented their lifecycle. To support future studies of IoT malware, we are releasing our tools, analysis artifacts, and malware binaries to the research community. We plan to release newer malware binary samples as we collect them. Also, we are planning to combine our companion project, YourThings, on smart-home IoT security assessment to further study how IoT malware threats evolve and adapt to new emerging IoT technologies. If you have any questions or comments, you can contact us at: contact@badthings.info.

USENIX Security Paper

Our current defenses against IoT malware may not be adequate to remediate an IoT malware attack similar to the Mirai botnet. This work seeks to investigate this matter by systematically and empirically studying the lifecycle of IoT malware and comparing it with traditional malware that target desktop and mobile platforms. We present a large-scale measurement of more than 166K Linux-based IoT malware samples collected over a year. We compare our results with prior works by systematizing desktop and mobile malware studies into a novel framework and answering key questions about defense readiness. Based on our findings, we deduce that the required technology to defend against IoT malware is available, but we conclude that there are insufficient efforts in place to deal with a large-scale IoT malware infection breakout.

IoT Malware Corpora

In an effort to support our ongoing research in the IoT malware space, we are releasing the largest IoT malware corpora to date to the research community. The dataset includes over 166K malware samples collected in 2019. We will continue to release more recent samples as they become available.

Analysis Artifacts

We used static, dynamic, and network analysis techniques to empirically document the lifecycle of IoT malware. Additionally, we rely on VirusTotal for AV detection, AV labels, and in-the-wild names for metadata analysis. We combine the AV labels with AVClass to consolidate the labels for each sample. We are releasing the analysis artifacts for the metadata, static, and dynamic analysis. Each of these files is generated by running various tools that we document in the paper.

IoT Malware Analysis Tools

During our study, we developed several in-house tools that helped us analyze the large IoT malware corpora. We used binary emulation, dynamic analysis, YARA signatures, and reverse engineering tools like Ghidra, hexdump, and other Linux utilities under binutils. Additional instructions on how to build and use these tools can be found on the GitHub repository.