NURSE: eNd-UseR IoT malware detection tool for Smart homEs

d'Estalenx, Antoine; Gañán, Carlos

doi:10.1145/3494322.3494340

“…With the proliferation of IoT devices, now attackers are shifting to IoT persistent malware [6,9,59,63] since these devices have several advantages for attackers, like low computational capacity [36], thus they cannot count on protections such as antivirus which Windows systems do. The current state of the art has also learned about Mirai, a non-persistent IoT malware, that can be removed by rebooting the device and changing passwords [3,7,14,27,54], however, in this research we dealt with QSnatch, a malware, that needs convoluted steps from users to be remediated, and does not count on the same mechanisms for removal from Windows malware or Mirai.…”

Section: Related Workmentioning

confidence: 99%

Difficult for Thee, But Not for Me: Measuring the Difficulty and User Experience of Remediating Persistent IoT Malware

Rodrı́guez¹,

Max²,

Parkin³

et al. 2022

Preprint

Self Cite

0

View full text Add to dashboard Cite

Consumer IoT devices may suffer malware attacks, and be recruited into botnets or worse. There is evidence that generic advice to device owners to address IoT malware can be successful, but this does not account for emerging forms of persistent IoT malware. Less is known about persistent malware, which resides on persistent storage, requiring targeted manual effort to remove it. This paper presents a field study on the removal of persistent IoT malware by consumers. We partnered with an ISP to contrast remediation times of 760 customers across three malware categories: Windows malware, non-persistent IoT malware, and persistent IoT malware. We also contacted ISP customers identified as having persistent IoT malware on their network-attached storage devices, specifically QSnatch. We found that persistent IoT malware exhibits a mean infection duration many times higher than Windows or Mirai malware; QSnatch has a survival probability of 30% after 180 days, whereby most if not all other observed malware types have been removed. For interviewed device users, QSnatch infections lasted longer, so are apparently more difficult to get rid of, yet participants did not report experiencing difficulty in following notification instructions. We see two factors driving this paradoxical finding: First, most users reported having high technical competency. Also, we found evidence of planning behavior for these tasks and the need for multiple notifications. Our findings demonstrate the critical nature of interventions from outside for persistent malware, since automatic scan of an AV tool or a power cycle, like we are used to for Windows malware and Mirai infections, will not solve persistent IoT malware infections.

show abstract

“…With the proliferation of IoT devices, now attackers are shifting to IoT persistent malware [8]- [11] since these devices have several advantages for attackers, like low computational capacity [48], thus they cannot count on protections such as antivirus which Windows systems do. The current state of the art has also learned about Mirai, a non-persistent IoT malware, that can be removed by rebooting the device and changing passwords [1], [6], [7], [24], [49], however, in this research we dealt with QSnatch, a malware, that needs convoluted steps from users to be remediated, and does not count on the same mechanisms for removal from Windows malware or Mirai.…”

Section: Related Workmentioning

confidence: 99%

Difficult for Thee, But Not for Me: Measuring the Difficulty and User Experience of Remediating Persistent IoT Malware

Rodriguez

¹

,

Max

²

,

Parkin

³

et al. 2022

2022 IEEE 7th European Symposium on Security and Privacy (EuroS&P)

Self Cite

1

0

View full text Add to dashboard Cite

Consumer IoT devices may suffer malware attacks, and be recruited into botnets or worse. There is evidence that generic advice to device owners to address IoT malware can be successful, but this does not account for emerging forms of persistent IoT malware. Less is known about persistent malware, which resides on persistent storage, requiring targeted manual effort to remove it. This paper presents a field study on the removal of persistent IoT malware by consumers. We partnered with an ISP to contrast remediation times of 760 customers across three malware categories: Windows malware, non-persistent IoT malware, and persistent IoT malware. We also contacted ISP customers identified as having persistent IoT malware on their network-attached storage devices, specifically QSnatch. We found that persistent IoT malware exhibits a mean infection duration many times higher than Windows or Mirai malware; QSnatch has a survival probability of 30% after 180 days, whereby most if not all other observed malware types have been removed. For interviewed device users, QSnatch infections lasted longer, so are apparently more difficult to get rid of, yet participants did not report experiencing difficulty in following notification instructions. We see two factors driving this paradoxical finding: First, most users reported having high technical competency. Also, we found evidence of planning behavior for these tasks and the need for multiple notifications. Our findings demonstrate the critical nature of interventions from outside for persistent malware, since automatic scan of an AV tool or a power cycle, like we are used to for Windows malware and Mirai infections, will not solve persistent IoT malware infections.

show abstract