This is a learning list for IoT malware projects, will continue to update.
USENIX20
HALucinator, a high-level emulation system capable of interactive emulation and fuzzing firmware through the use of a library of abstract handlers and peripheral models
paper: https://www.usenix.org/system/files/sec20summer_clements_prepub.pdf
github: https://github.com/embedded-sec/halucinator
speak: https://www.youtube.com/watch?v=7mFqTjfLuEM
SP20
PMP is a light-weight and practical forced execution technique. An improvement of X-Force
paper: https://yonghwi-kwon.github.io/data/pmp_sp20.pdf
github: https://github.com/pmp-tool/PMP
docker: https://hub.docker.com/r/izhuer/pmp
speak: https://www.youtube.com/watch?v=QEDZAAQhX5w
slides: https://www.cs.purdue.edu/homes/zhan3299/res/SP20_slides.pdf
USENIX14
X-Force, a novel binary analysis engine. Given a potentially malicious binary executable, X-Force can force the binary to execute requiring no inputs or proper environment
paper: https://web.cse.ohio-state.edu/~lin.3021/file/SEC14b.pdf
NDSS16
FIRMADYNE is an automated and scalable system for performing emulation and dynamic analysis of Linux-based embedded firmware
paper: https://www.ndss-symposium.org/wp-content/uploads/2017/09/towards-automated-dynamic-analysis-linux-based-embedded-firmware.pdf
github: https://github.com/firmadyne/firmadyne
tutorial: https://www.youtube.com/watch?v=U86iFH7muwg
Cuckoo Sandbox is the leading open source automated malware analysis system
paper: https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8473346&casa_token=7icrdJeTyJsAAAAA:g7ItXjydrj8Vwz6t-p3uVRKzgr_RixhWrcvF6-jmTAqV8kcNFuuXdLPm8bmEpwGpelhEsayH
github: https://github.com/cuckoosandbox/cuckoo
speak: https://www.youtube.com/watch?v=V4z2tLRCuIY
Limon is a sandbox developed as a research project written in python, which automatically collects, analyzes, and reports on the run time indicators of Linux malware
paper: https://www.blackhat.com/docs/asia-16/materials/arsenal/asia-16-KA-Limon-wp.pdf
blog: http://malware-unplugged.blogspot.com/2015/11/limon-sandbox-for-analyzing-linux.html
github: https://github.com/monnappa22/Limon
speak: https://youtu.be/fSCKyF--tRs
related: https://www.blackhat.com/docs/eu-15/materials/eu-15-KA-Automating-Linux-Malware-Analysis-Using-Limon-Sandbox.pdf
HaboMalHunter is a sub-project of Habo Malware Analysis System (https://habo.qq.com), which can be used for automated malware analysis and security assessment on the Linux system
paper: https://www.blackhat.com/docs/asia-17/materials/arsenal/as-17-Yang-HaboMalHunter.pdf
github: https://github.com/Tencent/HaboMalHunter
FIT conference paper
A Project providing automated Linux malware analysis on various CPU architectures.
paper: http://excel.fit.vutbr.cz/submissions/2019/058/58.pdf
github: https://github.com/danieluhricek/LiSa
Detux is a sandbox developed to do traffic analysis of the Linux malwares and capture the IOCs by doing so. QEMU hypervisor is used to emulate Linux (Debian) for various CPU architectures. Support x86, x86-64, ARM, MIPS and MIPSEL
link: https://detux.org/
github: https://github.com/detuxsandbox/detux
A Linux Toolkit for Malware Analysis
link: https://remnux.org/
SP18
Currently the most comprehensive study of Linux malware
paper: https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8418602&casa_token=Kvk4wfueWP8AAAAA:Qq5fc4jwa6k4mDAodtK5r8QqCwcyH4R0gCPkGakM25AfNfh2gk45VlI7RT2e9lYoJEOlY-gK
speak: https://www.youtube.com/watch?v=bTkVFqF9VAw
USENIX17
paper: https://www.usenix.org/system/files/conference/usenixsecurity17/sec17-antonakakis.pdf
slides: https://www.usenix.org/sites/default/files/conference/rotected-files/usenixsecurity17_slides_ma_zane.pdf
speak: https://youtu.be/1pywzRTJDaY
github:
https://github.com/jgamblin/Mirai-Source-Code
https://github.com/ruCyberPoison/-Mirai-Iot-BotNet
useful toolkit book
http://venom630.free.fr/pdf/Practical_Malware_Analysis.pdf
PKU course slides: https://xiongyingfei.github.io/SA/2017/main.htm
fuzzing resources list: https://github.com/secfigo/Awesome-Fuzzing