Man
Professional
- Messages
- 3,153
- Reaction score
- 702
- Points
- 113
Smart devices are a new tool for botnet developers. Cybercriminals infect them and use them for cyberattacks, click fraud, bank fraud and other purposes. The owner of the device may not even know that his smart kettle is infected with malware and is involved in cybercrime. Cybersecurity experts report that fraudsters primarily target IP cameras, digital video recorders, routers, then kettles, vacuum cleaners, etc.
Contents
1. What are IoT botnets?
2. Types of IoT botnets
2.1. Kaiten
2.2. Qbot
2.3. Mirai
2.4. Echobot
2.5. Satori
3. Why IoT botnets are needed
3.1. DDoS attacks
3.2. Click fraud
3.3. Cryptocurrency mining
3.4. YouTube
4. Are smart device developers responsible?
5. How to protect smart devices from botnet infection
Routers can play a significant role in the spread and activity of IoT botnets, as they provide more opportunities to infect other devices and carry out attacks on a large scale.
A classic IoT botnet consists of a huge number of infected devices, which are controlled via a C&C server. This means that if such a server suddenly shuts down, then the botnet, regardless of the number of devices in it, will cease its activity.
Using more modern P2P networks to control botnets of infected smart home devices and routers bypasses this vulnerability. In this case, the computers are connected to each other - no server is required. In practice, this means that if a P2P network is detected, the malware will have to be removed from each individual device.
During the distribution process, the program searches for IP addresses of devices, finds those that are poorly protected, and infects them with malware. The hacked and infected gadget becomes a bot in the entire network and waits for further commands from the master.
The most common malware are: Linux.Darlloz, Linux.Aidra, Linux.Xorddos, Linux.Gafgyt, Linux.Ballpit, Linux.Moose, Linux.Dofloo, Linux.Pinscan, Linux.Kaiten, Linux.Routrem, Linux.Wifatch and Linux.LuaBot.
A special Python script is used as a search and infection tool, which searches for unprotected Telnet ports and selects access data for them by trying standard or easy passwords.
Kaiten is also characterized by the fact that it eliminates its direct competitors. That is, if the device is already infected with another malware, then before "settling" it first deletes it.
List of the largest DDoS attacks in 2016:
As practice shows, it is better to take care of protecting your smart devices in advance, so as not to lose millions in the future to eliminate the consequences.
And the simplest option where you can use a proxy is clicking on ads. Advertising platforms Google Adwords. Yandex.Direct, Facebook (owned by Meta, an organization banned in the Russian Federation) and others place ads on websites. Fraudsters infect routers or smart home devices and send them commands to imitate the actions of real users and click on ads. And they do it quite successfully. First of all, because botnet masters have a huge number of IP addresses at their disposal.
In addition, infected IoT objects themselves help in this, especially if they are at home of an ordinary user. And if the bot successfully imitates the user's geolocation, then the master can easily direct the attack to clicking ads posted on his own site (if the bot operator acts as a partner in an advertising service).
But even despite this, if the master earns 1 cent per hour this way, and there are many infected devices in the network (let's say 100 or 200 thousand), then in this case you can make good money.
The investigation revealed that the smart devices were infected with TheMoon malware, and then experts discovered a completely new and previously unknown exploit designed to infect routers and turn them into proxies and direct bots to inflate traffic.
You can also use other security measures to protect yourself from malware:
The world of the Internet of Things is rapidly developing. Not only Smart TVs appear in homes , but also smart kettles, switches, heat regulators, and light bulbs. Bot breeders have new opportunities and tools to find their vulnerabilities and infect them with malware. Therefore, in order not to become a victim of cybercriminals, try to follow the above advice.
Contents
1. What are IoT botnets?
2. Types of IoT botnets
2.1. Kaiten
2.2. Qbot
2.3. Mirai
2.4. Echobot
2.5. Satori
3. Why IoT botnets are needed
3.1. DDoS attacks
3.2. Click fraud
3.3. Cryptocurrency mining
3.4. YouTube
4. Are smart device developers responsible?
5. How to protect smart devices from botnet infection
What are IoT Botnets?
An IoT botnet is a network of "smart" devices infected with malware and used to execute commands from the botnet master. Commands may include DDoS attacks, click-through ads, spam distribution, etc. They are widely advertised on closed specialized forums.Routers can play a significant role in the spread and activity of IoT botnets, as they provide more opportunities to infect other devices and carry out attacks on a large scale.
A classic IoT botnet consists of a huge number of infected devices, which are controlled via a C&C server. This means that if such a server suddenly shuts down, then the botnet, regardless of the number of devices in it, will cease its activity.
Using more modern P2P networks to control botnets of infected smart home devices and routers bypasses this vulnerability. In this case, the computers are connected to each other - no server is required. In practice, this means that if a P2P network is detected, the malware will have to be removed from each individual device.
During the distribution process, the program searches for IP addresses of devices, finds those that are poorly protected, and infects them with malware. The hacked and infected gadget becomes a bot in the entire network and waits for further commands from the master.
Types of IoT Botnets
At the moment, three main malware source codes have been found, which are usually used to write existing IoT botnets. They are distributed on the principle of open source code.The most common malware are: Linux.Darlloz, Linux.Aidra, Linux.Xorddos, Linux.Gafgyt, Linux.Ballpit, Linux.Moose, Linux.Dofloo, Linux.Pinscan, Linux.Kaiten, Linux.Routrem, Linux.Wifatch and Linux.LuaBot.
Kaiten
Kaiten (aka Tsunami) is perhaps the least known of all the malware. However, its open distribution began back in 2001. And to this day, it is popular among cybercriminals. The server addresses are written in the source code of Kaiten, which can be built for SH4, PowerPC, MIPSel, MIPS, and ARM architectures.A special Python script is used as a search and infection tool, which searches for unprotected Telnet ports and selects access data for them by trying standard or easy passwords.
Kaiten is also characterized by the fact that it eliminates its direct competitors. That is, if the device is already infected with another malware, then before "settling" it first deletes it.
Qbot
Although Qbot is newer than Kaiten, it cannot be considered a newcomer. It was first noticed in 2008, but is still readily used by cybercriminals. It is also known under the names Bashlite, Gafgyt, Lizkebab or Torlus. It uses the TCP protocol to connect to control servers. Similar to Kaiten, if the device is already infected with another malware, then Qbot deletes it before installing it.Mirai
Mirai is the most famous and widespread botnet of the three. It was first reported in 2016, when it took down a huge number of major websites and services. It was specifically developed as a commercial product for DDoS attacks. Just like the two previous botnets, some of its exploits were able to “clean” a device infected with other malware.Echobot
Echobot is a variation of Mirai. The botnet was discovered in May 2019. It is trained to exploit over 50 vulnerabilities, the most popular of which is HTTP command injection. Its characteristic feature is that it targets not only smart devices, but also bugs in Oracle WebLogic and VMware SD-WAN.Satori
The Satori botnet is another variant of the Mirai-based malware. Experts believe it was able to infect over 280,000 IP addresses in 12 hours, turning thousands of home routers into zombies. It used a zero-day vulnerability to hack and infect. Users from Argentina (70%), Tunisia (15%), and Bulgaria (4%) suffered the most.Why IoT Botnets Are Needed
Cybercriminals manipulate smart devices to carry out DDoS attacks, cryptocurrency mining, click fraud, identity theft, and network espionage.DDoS attacks
The main goal of creating IoT-based botnets remains DDoS attacks. This is their key direction. For example, in 2015, a huge number of such attacks were recorded. More than half of them came from the USA and China, as well as Vietnam, Germany, Russia, Ukraine and the Netherlands. To carry out an attack, 300 Gbit/s is enough to "put down" many sites not protected from DDoS.List of the largest DDoS attacks in 2016:
- Attack on Blizzard servers. Regular users who were unable to access game servers suffered.
- The Chinese company Imperva was attacked. The power of this DDoS was 470 Gbps.
- An attack on the website of journalist Brian Krebs, who had previously exposed a group of hackers. Its power was 620 Gbps.
- The OVH provider's network did not remain on the sidelines and also suffered from the IoT botnet. The capacity is off the charts - 1 Tb/s.
- But the record for the power of a DDoS attack was broken by a massive bombing of the DNS provider Dyn. There it was more than 1 Tbit/s. Due to the attack, Twitter, Reddit, PayPal, Airbnb, Pinterest, Spotify, GitHub, Wix, HBO, CNN, Starbucks and many other services were unavailable.
As practice shows, it is better to take care of protecting your smart devices in advance, so as not to lose millions in the future to eliminate the consequences.
Clickbaiting
But blocking websites is not all that IoT botnets are capable of. Experts have conducted an analysis and found out that some malware, instead of infecting a device for subsequent DDoS attacks, tries to hack it and use it as a proxy server.And the simplest option where you can use a proxy is clicking on ads. Advertising platforms Google Adwords. Yandex.Direct, Facebook (owned by Meta, an organization banned in the Russian Federation) and others place ads on websites. Fraudsters infect routers or smart home devices and send them commands to imitate the actions of real users and click on ads. And they do it quite successfully. First of all, because botnet masters have a huge number of IP addresses at their disposal.
In addition, infected IoT objects themselves help in this, especially if they are at home of an ordinary user. And if the bot successfully imitates the user's geolocation, then the master can easily direct the attack to clicking ads posted on his own site (if the bot operator acts as a partner in an advertising service).
Cryptocurrency mining
In addition to click fraud and DDoS attacks, which are quite popular among cybercriminals, cryptocurrency mining has recently become one of the areas of use of IoT botnets. However, for now there is no need to worry, since devices infected with such malware will have to have special software and powerful processors in order to mine as much cryptocurrency as possible.But even despite this, if the master earns 1 cent per hour this way, and there are many infected devices in the network (let's say 100 or 200 thousand), then in this case you can make good money.
YouTube
A recent study by a team of cybersecurity experts at American ISP CenturyLink found that IoT-powered botnets are driving traffic to YouTube videos to watch or click on ads. They discovered this while investigating the TheMoon botnet.The investigation revealed that the smart devices were infected with TheMoon malware, and then experts discovered a completely new and previously unknown exploit designed to infect routers and turn them into proxies and direct bots to inflate traffic.
Are Smart Device Developers Responsible?
IoT gadget manufacturers should be held accountable if they fail to update their products. Or if they fail to respond to hacked devices. It is impossible to write perfectly secure software – criminals will find vulnerabilities and ways to hack it anyway. However, the manufacturer should respond quickly to such actions.How to protect smart devices from botnet infection
So what should companies or ordinary owners of smart devices do to protect themselves from cyber fraud? Follow these tips:- Monitor vulnerabilities and try to fix them as soon as possible. Update your software when relevant updates arrive. This will reduce the risk of infection with various malware exploits.
- Use a secure configuration. Users should be sure that they are using the most secure configuration on their devices to narrow down the possible infection paths.
- Use complex and difficult to guess passwords. Cybercriminals can use malware with aggressive brute force against the most common passwords.
- Change your passwords as often as possible.
- Connect them to a separate network.
You can also use other security measures to protect yourself from malware:
- Disable features that you won't use.
- Keep track of the operation log. For example, what the thermostat did while you were away.
- Use antivirus software specifically designed for smart homes to protect your devices from botnet attacks.
- If you use voice control, try changing the phrases to activate them sometimes.
- Disable the UPnP (Universal Plug & Play) protocol. UPnP finds similar devices and connects to them. However, malware can also hack this protocol due to its vulnerabilities. That is, if a smart home item is connected to another item, it will also be infected.
The world of the Internet of Things is rapidly developing. Not only Smart TVs appear in homes , but also smart kettles, switches, heat regulators, and light bulbs. Bot breeders have new opportunities and tools to find their vulnerabilities and infect them with malware. Therefore, in order not to become a victim of cybercriminals, try to follow the above advice.
