Malware presents a growing problem in a world that is increasingly connected to, and reliant on, the internet. The growing, devastating potential of cyber attacks such as DDoS attacks on society and economy is largely the result of a new class of devices, the Internet of Things (IoT), whose characteristic vulnerabilities make them easy targets to be compromised and controlled by malicious actors. This study employs a mixed-method research design to examine end-users' perceptions of the security of internet connected devices, their motivations for (non-)adoption of centralized DNS-based malware mitigation measures, and the efficacy of such services in mitigating malicious activity in a real-life environment. The results indicate that centralized DNS-based malware mitigation have significant potential in reducing end-user vulnerability to malware threats, but their adoption is hindered by lacking ability to assess threats and the value and efficacy of security measures.

The increasingly important availability of online services is constantly threatened by malicious software such as botnets. Attackers have gained power through devices that are part of the rising Internet of Things (IoT), mostly through infections caused by Mirai. The botnets created by Mirai are used for the purpose of DDoS attacks, which can take away the availability of an online service. Although Mirai can be detected relatively easily due to its superficial signature, the remediation process of Mirai infected IoT devices runs far from smoothly. As end-users often do not notice the presence of Mirai and manufacturers lack incentives to invest in better security or support, ISPs like KPN are amongst the few viable actors that could defend against botnets like Mirai. As ISPs are able to link infection feeds to their customers, they are able to send out notifications accompanied by protocols that can resolve Mirai infections when executed properly. Although research exists on the remediation rates, it is not clear what processes take place at end-users homes during the remediation process and what critical points of error exist throughout the phases of the anti-botnet cycle. As the remediation rate of Mirai infections is currently only 60 – 76 percent, it can be worth looking into the remediation processes to see where they could be improved. The main research question is the following: “What do we learn about how and to what extent Internet Service Providers can improve the remediation process of malware infected Internet of Things devices by monitoring end-users while they are cleaning their Mirai infections?”. To answer this question, we have closely followed 17 Mirai infected end-users over a period of 7 weeks, at the KPN Abuse Desk, after a 1 week pilot phase to test our email notification and think aloud protocol. We have prepared and analyzed all steps from identification of a Mirai infection until successful remediation took place. The lion’s share of this experiment is about a virtual visit; a phone call with an option to upgrade to a video conference, in which infected end-users get advanced support in performing the 5 cleaning steps stated in the protocol they received. As the end-users thought aloud during the calls, we were able to follow them closely and pinpoint arising issues. Using a thematic content analysis, we synthesized the personal stories that end-users shared. During the 7 week experiment, we saw 37 unique IP addresses infected with Mirai, of which 12 were excluded due to the ISP policy of not providing support during the weekends. Of the 25 remaining IP addresses, 3 could not be notified due to technical issues within KPN, 2 did not pick up the phone after being notified and 3 were not willing to take part in the experiment due to trust issues. 16 out of 17 participants that were responsible for the internet security were male, but their varying household sizes shows that this does not relate to men becoming infected more often. The age of the end-users was normally distributed between 21 and 80 and we found a household size of 1 to 6, excluding 3 small business locations that became victim of Mirai. End-users can often only identify 1 or 2 IoT devices in their network (13 out of 17) and are almost always able to pinpoint the infected device (16 out of 17). Many issues arose during the virtual visits, such as a lack of trust, not willing to spend effort, a lack of support by the manufacturer, or the idea that regular protection measures should have protected against Mirai. Only 6 out of 17 end-users were able to perform all steps successfully. In most cases end-users failed to change the password of their device or performed a regular reset on their router instead of a factory reset. This caused 3 failing remediation efforts and 5 reinfections during the experiment phase. The remediation process has barriers in each phase that could be addressed. The biggest improvement can be made in the awareness of end-users, which would lead to higher prevention of infections. Prevention would keep the many potential issues in the remediation process from arising altogether.

As the IoT is widely deployed in people’s homes, adversaries are busy exploiting the vulnerabilities of these devices. One kind of such device is the NAS device made by the company QNAP. Unfortunately, these devices are prone to the QSnatch malware. Unlike previous malware such as Mirai has this nasty habit, it settles deeper into the machine. In this way, the malware gains reboot persistence. Therefore, we consider the malware as persistent IoT malware compared to the non-persistent IoT malware. This affects the clean-up of the virus, as changing the passwords and rebooting the device is not enough to remove the virus. As a result, other steps are needed to get rid of the virus. If we take a look at the NAS device market, we see that the manufacturers of these devices have little incentive to invest a lot in the security of the devices. It is then challenging for the customer to estimate which devices are secure and are mainly tempted by discounts and devices that can be configured quickly. Then, the ISP is the link in the process that, with the help of the non-profit organisation Shadow Server, can determine which of its customers may be infected with certain malware. Shadow Server uses servers to receive the malicious traffic and forwards the corresponding IP addresses to the ISP. The ISP then knows which customer is dealing with possible infection and can inform them. This also happens for the QSnatch malware. The ISP sends the infected customer a notification informing them about the infection and providing steps to clean their device. These steps are a simplified and Dutch-translated version of the steps provided by QNAP. From that moment on, it is up to the infected customer to take action. Previous research has made a tremendous effort in understanding the efforts of infected customers in remediating the issue and showed that various resources could be used by the ISP to improve the results of this process.

Malicious software such as botnets are a threat to society and increasingly so through Internet of Things (IoT) devices. The large volume, pervasiveness and high vulnerability of IoT devices make them low hanging fruit for malicious actors. Currently, the biggest threat for insecure IoT devices is Mirai, a botnet which is deployed for DDoS attacks. Home users often fail to detect and resolve Mirai on their IoT devices. For this reason, Internet Service Providers (ISP) increasingly take efforts to increase remediation. Sending their infected customers a notifications containing cleanup instructions is currently the most feasible measure on a large scale. However, previous studies point out that it is not clear how people process these notifications, if they comply with it and how this effects the remediation rate and speed. The central research question of this study is ‘What is the role of IoT device end users in Mirailike bot remediation?’. We have conducted an eight-week experiment at the KPN Abuse Desk that notifies customers about abuse incidents. 177 Mirai-infected consumers have been randomly assigned to a walled garden notification (i.e., a quarantined environment), an e-mail notification, or control group. All subjects within the experiment have been tracked for two weeks to estimate the infection time and are contacted afterward for interview purposes. Male consumers and consumers younger than 54 years possess relatively more often a Miraiinfected device compared to other consumers. Both e-mail and walled garden notifications are effective in reaching consumers, informing them and encouraging them to take action. The majority of consumers do not follow the recommendations provided by the notification. In contrast, the number of actions that are performed while not mentioned in the notifications is remarkably high. Since many consumers asked for additional help, we conclude that consumers appear don’t have a full understanding of how to tackle the problem. In the control group, several consumers remediated Mirai unintentionally. However, these cases do not explain all observed remediation. Using two survival analysis modeling techniques, we find that consumers placed in a walled garden have a 29% to 85% shorter infection time than other consumers. We conclude that there is a discrepancy between stated behavior and the actual behavior of consumers. Although we cannot observe all cleanup efforts of consumers, we observed that awareness of the Mirai-infection and the intention to comply with the recommended actions influence that unobserved behavior. Gender also influences the unobserved behavior. Women clean up their device quicker than men while their statements during the interviews contradict this. One explanation is that women may unintentionally clean up their device. We conclude that age, consumer market, device type and customer satisfaction have no significant influence on remediation. We believe that it is unlikely that all unexplained remediation can be attributed to the unobserved behavior. We thus cannot explain all observed remediation from the user perspective. Therefore, we argue that future work must also focus on the attacker perspective. Since we only observed Mirai-infections, we cannot exclude the possibility that competing malware confiscated infected devices within our experiment. In addition, novel Mirai variants may have evolved scanning behavior which obstructed proper detection of infected bots.