Botnet evolution: from zombie PCs to IoT devices

There are two different flavors of pretty much any cutting-edge online technology. On the one hand, it is most likely to cause a benign overhaul of peoples’ lifestyles, routines and habits. On the other, it is doomed to become cybercriminals’ target. Speaking of the Internet of Things, threat actors predictably go the well-trodden route of exploitation. Not only is IoT a buzzword, but it is also a nearly ubiquitous component of the present-day world with a significant economic footprint.  The number of online-accessible smart devices is growing exponentially, with the global spending in the IoT security market alone estimated to reach $4 billion by 2022.

Zooming out, what does this have to do with the evolution of botnets? It turns out, the ties are closer than you might have imagined. Intelligent devices, including the ones people keep in their homes, are low-hanging fruit for malicious players – moreover, their constantly increasing quantity plays into villains’ hands.

Smart vehicles, cameras, TVs, routers, fridges, DVRs, climate control systems, toasters, kettles, wearable gadgets and even drones are all connected to the Internet in one form or another. Some operate with excessive privileges and thus make a great springboard for expanding the attack surface. By hacking the firmware of these clever things, an adversary can inject perpetrating code, remotely control them and invoke arbitrary commands.

Conventional vs. IoT botnets

Old school botnets are typically composed of compromised computers or servers running malware behind admins’ back. In this scenario, botnet operators establish a surreptitious channel to control the enslaved machines via peer-to-peer protocol or Internet Relay Chat (IRC). Some of the common vectors of harnessing bots include distributed denial-of-service (DDoS) attacks, spam campaigns and, more recently, stealth cryptocurrency mining (cryptojacking) activities.

In the case of an IoT botnet, the malicious logic is similar, except that the malware-infested devices constantly attempt to ‘poison’ other smart objects they can interact with on the network. This hallmark enables such a botnet to inflate autonomously at a rapid rate. Whereas large conventional botnets tend to include tens of thousands of compromised computers, their IoT based counterparts are a lot bigger and can encompass hundreds of thousands or even millions of intelligent devices. Regardless of the scaling, the tasks fulfilled by both types of these malicious networks usually match.

IoT security concerns

With the numerous shades of customer experience benefits in place, poor security of IoT devices is probably their biggest shortcoming. Most of them don’t run common operating systems with tried-and-tested protection mechanisms built in. Some simply lack memory to host adequate anti-breach tools. One of the most disconcerting characteristics, though, is that firmware updates are often not supported at all, therefore vulnerabilities remain unpatched and make malware campaigns persistent and pretty much unstoppable.

IoT botnets: what’s the attackers’ train of thought?

There is some good reasoning behind botnet operators stepping into the niche of the Internet of Things. A bevy of smart devices are easy to exploit due to users’ poor authentication hygiene as they keep the default credentials unaltered. To top it off, malicious code can easily modify these defaults once inside, making it very problematic for users to log in even if they identify the compromise. Furthermore, very few users perform regular maintenance of their connected things, so the likelihood of discovering a breach is negligible.

The main motivation for creating such botnets, though, is that IoT objects are always turned on and permanently online. This allows perpetrators to engage a maximum number of zombie nodes whenever they plan to launch a new large-scale attack. It’s also noteworthy that the darknet marketplace for IoT botnets is crammed up with low-cost offers. Threat actors can rent a full-fledged DDoS-as-a-Service kit for up to $20 a month, an amount barely plausible with traditional botnets.

Game-changing botnets

One of the earliest networks of enslaved smart devices that got the most media coverage was the Mirai botnet. This progenitor of IoT botnets gained notoriety in 2016 by propping a series of immensely powerful DDoS attacks against OVH and Dyn web services providers, knocking some of their infrastructure offline. Mirai consists of millions of compromised IoT devices, including CCTV cameras, DVRs and routers.

Another newsmaking botnet called Hajime is much more versatile than Mirai feature-wise, although it never reached the predecessor’s heights in terms of the number of hacked devices. It boasts cross-platform support, task automation, the ability to download other code, and a dynamic password list.

Reaper, one more botnet of this sort, took the nefarious tactics up a notch by exploiting vulnerabilities in IoT devices’ firmware rather than engaging in outright password cracking like Mirai does.

The Satori botnet is believed to be a Mirai spinoff, having surfaced in early December 2017 and hitting about 300,000 devices in less than a day. The latest botnet dubbed HNS (Hide and Seek) harnesses exploits to infect smart devices, goes with a boot persistence functionality and leverages a custom P2P protocol to interact with hacked nodes. Obviously, this segment of cybercrime is quickly gaining traction with malefactors and becoming more sophisticated.

The bottom line

Regardless of the type – traditional or IoT based – botnets pose numerous risks to end users and enterprises. They can do direct damage, as is the case with DDoS, or bolster other vectors of cybercrime, including cyber extortion through ransomware arriving with spam. Computer users can keep their machines on the safe side by using powerful, effective yet free antivirus software. In addition free IoT scanner will help you to protect your IoT network. The owners of smart devices should scrutinize a product’s security characteristics before purchasing it. An IoT entity is only worth its salt as long as it features regular firmware updates to address new vulnerabilities. Furthermore, changing the default login credentials from the get-go is an imperative.