IoT botnets – when Open Source is misused

To get rich, cause damage, espionage - there are numerous reasons for cyber attacks. With this in mind, publicly available sources are often searched for information because they are not classified and are therefore legal and available free of charge. In an earlier article, we already explained what Open Source Intelligence (OSINT) has to do with cyber security and how our experts use OSINT. The basic principle of Open Source is that it is freely accessible to everyone - in most cases with innocent intentions. But that's not always true...

As is the case with so many technological success stories, there is also a downside to Open Source. For developers, Open Source has been without any question a blessing. The upswing began at the beginning of the 90s. The Internet had spread out and initially connected networks mainly at universities. Later, the first Internet Service Providers made a private Internet connection possible. From then on it progressed rapidly as more and more free operating systems were promoted by programmers worldwide. Right before the millennium the Open Source Software finally arrived.

IoT – a global computer

But that's enough of the history lesson! Of course, they wanted to connect everything together as quickly as possible and make the data they had gathered accessible. Safety was often of secondary importance. With IoT, a global computer was built - but how can it be kept under control? As Bruce Schneier impressively explained at last autumn's InfoGuard Talk, the Internet of Things is much less secure than many believe. IoT networks and devices have rapidly spread and as a result, they are relatively vulnerable. So this makes them, of course, a popular target for hackers.

In autumn 2016 the source code for Mirai was released. Remember? Mirai is a Linux malware that can be used to create botnets. The source code was quickly used to create a framework for malware to target IoT devices. Malware based on the open source Mirai code can quickly integrate hundreds of devices into IoT botnets and use them for attacks.

5 known variants with memorable names

Satori, JenX, OMG, Wicked and Reaper – these are probably the best known five variants, which were built based on this code. OMG, for example, adds a new feature in the form of an HTTP and SOCKS proxy. This allows an infected IoT device to act as a pivot point, allowing the bot author to scan for new vulnerabilities or launch additional attacks without updating the original binary. The bot author can also convert to private networks depending on what IoT device it is and how it is connected. In other words, IoT devices within the company can be used against you to launch attacks within the network.

On the other hand, Reaper’s behaviour differs significantly from the others in some important ways. For one thing, it is very intelligent and is continuously educating itself. It builds massive botnets, for example, which - theoretically - can paralyse the entire Internet. Reaper goes unnoticed as it settles itself into networks and recruits new IoT devices from there, which in turn pass on the infection. The damage that such a massive botnet can do is enormous. Reaper's potential for damage is believed to be countless times higher than the 2016 Mirai botnet.

VPNFilter malware

Using open source for malware is not new, of course. In addition to Mirai, the malware VPNFilter, for example, has given a whole new dimension to the issue by infecting half a million routers in 54 countries.
The goal of VPNFilter malware is not to blindly exploit IoT devices for DDoS attacks. Not at all, VPNFilter is much more sophisticated and goes through several stages after the primary infection. One is to carry out a classic man-in-the-middle attack by gathering data in a network connected to the infected device. The data is then encrypted and transmitted via a Tor network. Malware can also hide the origins of later attacks, but that is by no means the end of the story. The fact is that IoT devices are booming, which means that IoT botnets can spread even faster - and will do so.

What can I do against IoT botnets? 

It is imperative that IoT network operators establish policies and strictly follow best practice regarding patches and updates. This means that identified device vulnerabilities can also be rectified retrospectively. In addition, the team responsible must have a very wide-ranging insight into all areas of the network. However, security teams also need to be constantly informed about current global threats and should exchange information so that they are better able to identify the attacks and precursors of an attack.

As you can see, there are two sides to every coin, and the Open Source movement is not without negative consequences, even if they are unintentional. Cyber criminals are as smart as they are sneaky. They will use all available means to exploit the networks (and their possibilities) on which we are increasingly dependent. Stay alert and rely on a strong defence. This is the only way to protect yourself from the growing threat of IoT botnets!

Knowledge as an (or the most) effective tool for defending cyber attacks

The more you know, the better you can protect yourself. And what's more invaluable than free expert tips? Stay up to date and don't miss out on the blog posts from our cyber security experts. They report every week on current trends, dangers and solutions, and provide valuable insights from the world of cyber security and defence. We also regularly publish whitepapers, checklists and videos, that you can use every day. So, what are you waiting for?

Subscribe to blog updates now!


*in cooperation with Netscout Arbor

<< >>

Iot Security , Network Security

Corinne Lenherr
About the author / Corinne Lenherr

InfoGuard AG - Corinne Lenherr, Office Assistant

More articles from Corinne Lenherr

Related articles
Cyber Security Blog

Exciting articles, the latest news and tips & tricks from our experts on all aspects of Cyber Security & Defence.

Blog update subscription
Social Media