The Circle Of Life: A Large-Scale Study of The IoT Malware Lifecycle


Omar Alrawi, Charles Lever, and Kevin Valakuzhy, Georgia Institute of Technology; Ryan Court and Kevin Snow, Zero Point Dynamics; Fabian Monrose, University of North Carolina at Chapel Hill; Manos Antonakakis, Georgia Institute of Technology


Our current defenses against IoT malware may not be adequate to remediate an IoT malware attack similar to the Mirai botnet. This work seeks to investigate this matter by systematically and empirically studying the lifecycle of IoT malware and comparing it with traditional malware that target desktop and mobile platforms. We present a large-scale measurement of more than 166K Linux-based IoT malware samples collected over a year. We compare our results with prior works by systematizing desktop and mobile malware studies into a novel framework and answering key questions about defense readiness. Based on our findings, we deduce that the required technology to defend against IoT malware is available, but we conclude that there are insufficient efforts in place to deal with a large-scale IoT malware infection breakout.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {272224,
author = {Omar Alrawi and Charles Lever and Kevin Valakuzhy and Ryan Court and Kevin Snow and Fabian Monrose and Manos Antonakakis},
title = {The Circle Of Life: A {Large-Scale} Study of The {IoT} Malware Lifecycle},
booktitle = {30th USENIX Security Symposium (USENIX Security 21)},
year = {2021},
isbn = {978-1-939133-24-3},
pages = {3505--3522},
url = {},
publisher = {USENIX Association},
month = aug

Presentation Video