IoT malware and IoT botnets are becoming a real problem.
Malware targeting Internet of Things (IoT) devices is becoming more and more prevalent, with new families discovered every month, all working in the same way.
IoT malware, usually targeting various Linux flavors used to power these devices, is rarely a danger to the people or companies behind these devices, but everyone else.
All IoT malware discovered in the past two years has been seen doing the same thing. The infection starts with a crook or automated service employing brute-force attacks, trying to guess the IoT device’s admin password by trying thousands of username-password combinations.
Default device passwords help IoT botnets grow
If users haven’t changed their device’s default credentials, then crooks usually get access to the device after a few seconds. At this point, the malware alters the device by adding special code to communicate with one of its command and control servers, ensnaring it into a worldwide botnet, mainly used to execute DDoS attacks, relay proxy traffic for crooks, and brute-force other IoT devices.
In August, Kaspersky discovered that Linux-based botnets had become the most popular DDoS botnets on the market.
Only in targeted attacks, you’ll see someone use an IoT device as a pivot point inside a network, but generally, in the vast majority of cases, IoT devices are used as bots for DDoS attacks.
All of this is simplified by device owners who don’t secure their devices with custom passwords. According to Symantec, the table below shows the most often encountered passwords in IoT devices around the world.
|Top usernames||Top passwords|
As you can see for yourself, most are easy guesses and are the standard passwords for equipment running on Raspberry Pi platforms, Ubuntu, or others.
According to Symantec, most of today’s IoT malware comes with cross-platform support, and can target all major IoT hardware platforms such as x86, ARM, MIPS, and MIPSEL platforms. In some cases, there were malware families that went beyond these popular platforms and also targeted PowerPC, SuperH and SPARC architectures.
Modern IoT malware can spread on its own
Using tools like Shodan and automated brute-forcing scripts, attackers rarely have to infect IoT devices manually anymore, even if there are cases where this is still required. Recent malware even has wormable features that allow it to spread to other devices, such as the Ubiquiti worm.
With self-replication features, IoT malware can help crooks build massive botnets, some reaching over 25,000 bots, and in some cases reaching over 120,000 infected devices. Level 3 estimates that there are over one million compromised IoT devices available online.
These botnets are often combined to launch different types of DDoS attacks on their targets. Just this week, infosec journalist Brian Krebs reported a DDoS attack that clocked at 620 Gbps after exposing a DDoS-for-Hire service. Krebs said early indicators show this was the work of a massive botnet of IoT devices.
Symantec says the most popular IoT malware families are Linux.Darlloz (aka Zollard), Linux.Aidra (Linux.Lightaidra), Linux.Xorddos (aka XOR.DDos), Linux.Gafgyt (aka GayFgt, Bashlite), Linux.Ballpit (aka LizardStresser), Linux.Moose, Linux.Dofloo (aka AES.DDoS, Mr. Black), Linux.Pinscan / Linux.Pinscan.B (aka PNScan), Linux.Kaiten / Linux.Kaiten.B (aka Tsunami), Linux.Routrem (aka Remainten, KTN-Remastered, KTN-RM), Linux.Wifatch (aka Ifwatch), and Linux.LuaBot. On top of these, you can also add Rex, Mirai, Linux.BillGates, and Linux.BackDoor.Irc.
The IoT landscape is fraught with unprofessional vendors
Based on telemetry data, most of these devices are located in China (34 percent) and the US (28 percent). The blame in most cases usually relies with one company.
For example, the 25,000-strong botnet we mentioned earlier was caused by a Chinese company that sold white label DVRs, for which it failed to issue a firmware update.
The DVRs were bought and sold by 70 other companies, who slapped their own logo on top. Users who discovered their DVRs were insecure couldn’t patch their devices since the seller was and is still waiting on the Chinese company to fix its flaws.