METHODS FOR DETECTING MALICIOUS PROPERTIES OF ALTERNATIVE ROUTER FIRMWARE IN THE CONTEXT OF MODERN NETWORK THREATS

DOI: 10.31673/2409-7292.2025.041215

Authors

  • Д. І. Прокопович-Ткаченко, (Prokopovych-Tkachenko D. I.) University of Customs and Finance, Dnipro, Ukraine
  • Н. С. Зубченко, (Zubchenko N. S.) University of Customs and Finance, Dnipro, Ukraine
  • О. В. Черкаський, (Cherkasky O. V.) University of Customs and Finance, Dnipro, Ukraine
  • Д. О. Черкаський, (Cherkasky D. O.) University of Customs and Finance, Dnipro, Ukraine
  • І. М. Тихоненко, (Tykhonenko I. M.) University of Customs and Finance, Dnipro, Ukraine

DOI:

https://doi.org/10.31673/2409-7292.2025.041215

Abstract

The article investigates the use of alternative and modified router firmware as one of the key factors in the formation of
botnet networks and the implementation of distributed DDoS attacks. It is shown that fake or modified firmware can contain
hidden binary modules, pseudo-random domain generation algorithms, delayed activation schemes, and block-safe architecture
elements that provide stable and inconspicuous C2 interaction channels. Traffic analysis, comparison of firmware checksums,
and partial reverse engineering revealed typical signs of compromise: periodic cron calls, access to non-standard domain zones,
use of non-standard TCP/UDP ports, and activation of malicious functionality in response to structurally fixed packet triggers.
The results show that routers with such firmware are able to silently join the botnet infrastructure, transmit telemetry to C2
servers, participate in short-term but intensive DDoS campaigns and then return to the background mode without leaving
noticeable artifacts. The proposed detection algorithm includes the integration of NetFlow monitoring, SIEM correlation and
firmware integrity checking, which allows identifying hidden interaction mechanisms even under conditions of minimal network
activity. The results of the work form the basis for improving approaches to detecting malicious firmware and increasing the
resilience of networks to modern IoT botnets, and also outline the prospects for creating behaviorally oriented firmware-aware
protection systems.
Keywords: alternative firmware, botnets, DDoS attacks, hidden C2 channels, block-safe architecture, packet triggers,
NetFlow monitoring, SIEM correlation, IoT security, reverse engineering, router compromise.

References
1. Tariq U., Ahanger T. A. Employing SAE-GRU deep learning for scalable botnet detection in smart city
infrastructure. PeerJ Computer Science. 2025. Vol. 11. e2869. DOI: https://doi.org/10.7717/peerj-cs.2869.
2. Asadi M., Jamali M. A. J., Heidari A., Navimipour N. J. Botnets Unveiled: A Comprehensive Survey on
Evolving Threats and Defense Strategies. Transactions on Emerging Telecommunications Technologies. 2024. Vol. 35.
e5056. DOI: https://doi.org/10.1002/ett.5056.
3. Sivanesh S., Mani G., Senthilkumar D., Serrano S. BotCB: Unmasking Botnets Through Intelligent Network
Traffic Analysis. International Journal of Distributed Sensor Networks. 2025. Article ID 1550147725. DOI:
https://doi.org/10.1155/dsn/2344785.
4. Khaliq Z., Khan D. A., Baba A. I., Ali S., Farooq S. U. Model-based framework for exploiting sensors of IoT
devices using a botnet: a case study with Android. Cyber-Physical Systems. 2025. Vol. 11, No. 1. P. 1–46. DOI: https://
doi.org/10.1080/23335777.2024.2350001.
5. Baruah S., Deka V., Das D., Barman U., Saikia M. J. Enhanced Peer-to-Peer Botnet Detection Using Differential
Evolution for Optimized Feature Selection. Future Internet. 2025. Vol. 17, No. 6. P. 247. DOI: https://doi.org/
10.3390/fi17060247.
6. Alexander R., Pradeep Mohan Kumar K. BOTSIAM-DRL: Botnet detection using a few shot active matching
siamese network deep reinforcement learning in IoT networks. Cluster Computing. 2025. Vol. 28, No. 10. P. 665. DOI:
https://doi.org/10.1007/s10586-025-05497-5.
7. Almousa O., Hamdallh B., Al-nu’man R. Enhancing IoT Security: A Comparative Analysis of Machine
Learning and Deep Learning Techniques for Botnet Detection. Engineering, Technology & Applied Science Research.
2025; 15(4):24498-24505. DOI: https://doi.org/10.48084/etasr.11092.
8. Ullah S., Wu J., Lin Z., Kamal M. M., Mostafa H., Sheraz M., Chuah T. C. Comparative analysis of deep
learning and traditional methods for IoT botnet detection using a multi-model framework across diverse datasets.
Scientific Reports. 2025; 15:31072. DOI: https://doi.org/10.1038/s41598-025-16553-w.
9. Asiri M., Khemakhem M. A., Alhebshi R. M., Alsulami B. S., Eassa F. E. Decentralized Federated Learning
for IoT Malware Detection at the Multi-Access Edge: A Two-Tier, Privacy-Preserving Design. Future Internet. 2025.
Vol. 17, No. 10. Article 475. DOI: https://doi.org/10.3390/fi17100475.
10 Niu G., Zhang F., Guo M. Terminal Forensics in Mobile Botnet Command and Control Detection Using a
Novel Complex Picture Fuzzy CODAS Algorithm. Symmetry. 2025. Vol. 17, No. 10, p. 1637. DOI: https://doi.org/
10.3390/sym17101637.
11. Shu J., Lu J. Two-Stage Botnet Detection Method Based on Feature Selection for Industrial Internet of Things.
IET Information Security. 2025. Vol. ??, No. ??, pp. ??-??. DOI: https://doi.org/10.1049/ise2/9984635.
12. Kayyidavazhiyil A. Combined Tri-Classifiers for IoT Botnet Detection with Tuned Training Weights.
International Journal of Image and Graphics. 2023. Vol. 25, No. 02. DOI: https://doi.org/10.1142/S021946782550007X.
13. Antony V., Thangarasu N. Chaotic crow search enhanced CRNN: a next-gen approach for IoT botnet attack
detection. Indonesian Journal of Electrical Engineering and Computer Science. 2025. Vol. 38, No. 3, pp. 1745-1754. DOI:
https://doi.org/10.11591/ijeecs.v38.i3.pp1745-1754.
14. Mutar M. H., El Fawal A. H., Nasser A., Mansour A. Predicting the Impact of Distributed Denial of Service
(DDoS) Attacks in Long-Term Evolution for Machine (LTE-M) Networks Using a Continuous-Time Markov Chain
(CTMC) Model. Electronics. 2024. Vol. 13, No. 21, Article 4145. DOI: https://doi.org/10.3390/electronics13214145.
15. Mohamed Saied, Shawkat Guirguis, Magda Madbouly. Review of filtering based feature selection for Botnet
detection in the Internet of Things. Artificial Intelligence Review. 2025; Vol. 58, Article 119. DOI: https://doi.org/10.1007
/s10462-025-11113-0.
16. Jannatul Ferdous, Rafiqul Islam, Arash Mahboubi, Md Zahidul Islam. A Survey on ML Techniques for MultiPlatform Malware Detection: Securing PC, Mobile Devices, IoT, and Cloud Environments. Sensors. 2025; Vol. 25, No.
4:1153. DOI: https://doi.org/10.3390/s25041153.
17. Gelgi M., Guan Y., Arunachala S., Samba Siva Rao M., Dragoni N. Systematic Literature Review of IoT
Botnet DDoS Attacks and Evaluation of Detection Techniques. Sensors. 2024. Vol. 24, No. 11, Article 3571. DOI:
https://doi.org/10.3390/s24113571.
18. Alqahtani M., Mathkour H., Ben Ismail M. M. IoT Botnet Attack Detection Based on Optimized Extreme
Gradient Boosting and Feature Selection. Sensors. 2020. Vol. 20, No. 21. P. 6336. DOI: https://doi.org/10.3390
/s20216336.
19. Almuqren L., Alqahtani H., Aljameel S. S., Salama A. S., Yaseen I., Alneil A. A. Hybrid Metaheuristics With
Machine Learning Based Botnet Detection in Cloud Assisted Internet of Things Environment. DOI: https://doi.org/10.
1007/s44196-022-00138-y.
20. Tariq U., Ahanger T. A. Employing SAE-GRU deep learning for scalable botnet detection in smart city
infrastructure. PeerJ Computer Science. 2024. Article 2869. DOI: https://doi.org/10.7717/peerj-cs.2869.
21. AL-Azzawi W. S. A.-B., Hilou H. W., Warush N. H., Meslmani H., El-Douh A. A., Abdelhafeez A. A.
Neutrosophic Set and Machine Learning Model for Identifying Botnet Attacks on IoT Effectively. Zenodo. 2024. DOI:
https://doi.org/10.5281/zenodo.15717644.

Downloads

Published

2025-12-26

Issue

No. 4 (2025)

Section

Articles