An IoT botnet is a network of devices connected to the internet of things (IoT), typically routers, that have been infected by malware (specifically IoT botnet malware) and have fallen into the control of malicious actors. IoT botnets are known for being used in launching distributed denial-of-service (DDoS) attacks on target entities to disrupt their operations and services. The essential role routers play in networks also opens other opportunities for malicious actors to use IoT botnets in conducting more damaging attacks. IoT botnets are advertised in underground forums — an indication of how easily accessible they are to cybercriminals.
Much of a botnet’s power comes from the number of devices that make it up. The botnet malware families used to infect devices highlight this nature of the threat: They are designed to amass as many devices as possible while fending off other botnet malware.
Typically, botnets are controlled from a single command-and-control (C&C) server that is connected to all the infected devices (called “bots”). But the use of peer-to-peer (P2P) networking in some botnets eliminates the need for a C&C server, making it more difficult to take them down.
We have identified three main IoT botnet malware codebases on which most of today’s IoT botnets are based. The shared characteristics of these codebases show the true nature of IoT botnets and how they are operated. They are open-source malware, spawning many variants that now define the IoT botnet landscape.
Kaiten (aka Tsunami) is arguably the least known of the three codebases. However, this codebase, which has been open-source since 2001, remains popular among cybercriminals and script kiddies. Kaiten spreads by brute-forcing Telnet services. Its recent variants have a bot-killing feature that cleans any other infections prior to its own.
While it is newer than Kaiten, Qbot is also a relatively old IoT botnet malware family. It first emerged in 2008, but it is still popular among cybercriminals. It is also known as Bashlite, Gafgyt, Lizkebab, or Torlus. Like Kaiten’s, Qbot’s variants have a bot-killing feature that uninstalls other pieces of botnet malware.
Mirai is the most common and best known of the three codebases. It emerged in 2016, when it made a name for itself after taking down major websites and services. It was designed as a DDoS tool for sale and was used to target gamers. Some of Mirai’s variants have the ability to clean up older infections and fully monopolize a device.
We discuss these three IoT botnet malware codebases extensively in our paper “Worm War: The Botnet Battle for IoT Territory.”
The prevalence of the three codebases shows that IoT botnets are designed to grow and compete with one another over unsecure devices. It paints a picture of a very active “war.” But in the real world, this battle is waged silently and unbeknown to users. Many of the risks presented by IoT botnets today endure because users fail to notice infected devices or they are unable to clean the devices themselves.
IoT botnet malware families and variants have the tools to infect as many devices as they can, while canceling out other botnet infections. It may seem that a war among operators of IoT botnets is a good thing, but ultimately it is the owners of the infected devices who have the most to lose regardless of who wins control over their devices. The ongoing worm war shows how aggressive IoT botnet operators are in creating the ultimate botnet armies and how users can be unknowingly caught in the crossfire.
A closer look at the nature of individual IoT botnet malware infections reveals how difficult it is to clean them. By reviewing the case of the botnet malware VPNFilter, we found the existence of devices still infected by the malware despite its operations’ having been taken down in 2018. We surmised that users were either unaware of the infections in the first place or unable to remove the infections themselves because they did not have admin access over their devices.
Figure 1. A breakdown of the remaining VPNFilter infections by country
Unfortunately, the continuing development and the broadening use of the IoT leave more room for botnets to evolve. IoT botnets will likely be part of the threat landscape in the years or even decades to come, evolving into a formidable threat that will be much harder to take down.
One way we see this happening is through the application of P2P networking, a well-known file-sharing technology, in IoT botnets. As previously mentioned, an IoT botnet is typically controlled through a C&C server. By taking down the C&C server, defenders are able to render the botnet powerless. The involvement of P2P networking will remove this solution, as this technology allows computers to connect to one another without the need for a central server.
Without this solution, defenders would have to clean each of the devices in a botnet to take it down. Given how a single botnet can comprise thousands of devices, this can be a considerably hard and near-impossible task. In this sense, P2P networking can render IoT botnets unkillable.
This threat is already something of a reality. At present, there are five known P2P IoT botnet malware families.
Appearing as far back as 2014, Wifatch was the first IoT malware with P2P capabilities. It can be classified as “Robin Hood” malware, with its creators claiming that they designed it to protect routers from other truly malicious malware. Wifatch uses a custom-made and straightforward P2P protocol implemented in Perl.
Hajime surfaced in 2016. It was initially compared to Mirai because both targeted many of the same devices. Unlike Mirai, however, Hajime does not have third-party attacking capabilities and it has P2P capabilities. Hajime implements the DHT (Distributed Hash Table) protocol, the same protocol responsible for BitTorrent’s distributed file system sync-up between disparate nodes, which does not need a centralized server.
Hide ‘n’ Seek
Hide ‘n’ Seek (HNS) was first seen and peaked in activity in 2018. HNS spreads via vulnerabilities, two of which are specific to IP cameras. It is therefore likely that HNS targets more than just routers. At the time we conducted our research (September 2020), it showed a low level of activity, indicating that its creators or operators had abandoned the malware. It is noted for its use of a custom P2P protocol that allows nodes to receive remote instructions from the network.
First detected in 2019, Mozi bears most of the modern features in the IoT environment. It infects devices using a hard-coded list of common credentials and specific vulnerabilities. It uses the DHT protocol to download and verify a config file.
HEH was first seen in 2020. Bearing the characteristics of modern malware, HEH was developed in the now-popular language Go. It uses hard-coded credentials and brute-forces passwords. Most notably, it scans for infectable machines by randomly choosing IP addresses and it uses an algorithm to derive the P2P port from a given IP address. This botnet malware is obviously designed to be monetized, with its potential to launch attacks on third parties.
Figure 2. A comparison of the development of P2P malware in Windows and IoT environments
Only a year or two separates the emergence of one P2P IoT botnet malware family and that of the next. Indeed, the evolution of P2P malware in the IoT environment has been much faster than in the Windows environment. Out of this continuum, Mozi and HEH — the two most recent families — are the ones that seem to have been truly designed for criminal purposes.
Five P2P IoT botnet malware families may not seem like much at present. However, should cybercriminals find a way to monetize their efforts, they will continue developing and implementing more complex P2P IoT botnet malware. A potential direction we see cybercriminals taking is shifting their focus into making money from infected routers’ networks instead of using the routers themselves as internet-connected devices.
We provide more information on P2P IoT botnets and the future of IoT botnets in our blog entry “The Future of P2P IoT Botnets.” This blog entry comes with a technical brief where we detail the more technical aspects of the five P2P IoT botnet malware families.
IoT botnets are evolving in a time when corporate and home networks are becoming much harder to separate. With remote work becoming the norm, the security of household devices, especially routers, has taken on greater significance as even these can influence the defenses of organizations.
Organizations would do well to take a more proactive stance in helping their employees secure their home networks and connected devices. Users, too, must understand the current state of IoT botnets so as not to be caught defenseless in the face of an ever-present worm war and so as not to deal with uncleanable infections.
The foreseeable future of IoT botnets will present much that companies and home users need to be prepared for. In the meantime, the best strategy against IoT botnets is to limit their resources and reduce the number of unsecure devices from which they could derive their power. Organizations and individual users can begin with these steps: