Towards malware detection in routers with C500-toolkit

Abstract

In this paper, we present C500-toolkit, a new tool for malware detection in Commercial-off-the-shelf routers, based on dynamic analysis approach. This proposed method aims at emulating both web-interface and operating system of firmware image, allowing user gather adequate information for the identification of vulnerabilities and malwares. C500-toolkit is the first prototype that targets firmware image analysis of real router devices. This toolkit can extract firmware image from router flash chip in order to standardize it before monitoring its behavior during the run-time. C500-toolkit was evaluated with a real router device Netgear WNAP320 and the famous malware Linux/Mirai. Using strace to log system-calls during its runtime, we discovered some abnormal behaviors permitting to conclude that the router was not in normal behavior.