IoT Botnets: The Dark Side of Open Source 

As with so many technology success stories, however, there’s a dark side to open source as well. The core principle of open source is that it is made freely available to anyone for any purpose – in most cases, with wholly benign intentions. But not always. 

Dark Side of Open Source 

Without question, open-source software has been a boon to developers everywhere. Once viewed as a kind of anarchy in the commercial software world, its early proponents have long since been vindicated, as open source gained mainstream respectability on the strength of popular platforms like Linux, Apache and Firefox. Commercial developers have widely embraced open-source components for their flexibility, cost savings, and the support of the vast open-source community.

As with so many technology success stories, however, there’s a dark side to open source as well. The core principle of open source is that it is made freely available to anyone for any purpose – in most cases, with wholly benign intentions. But not always.

The source code for Mirai was published on September 30, 2016, and quickly became the framework for malware targeting devices in the Internet of Things. IoT networks and devices have proliferated rapidly – an estimated 27 billion had been connected by the end of 2017. In the rush to connect everything and unlock the power of collected data, security has often been an afterthought, and IoT devices tend to be notoriously vulnerable. As a result, they have become a favorite target of hackers seeking entrée into the enterprise networks to which they are ultimately connected. Through automated, worm-like schemes, malware built around the open-source Mirai code can quickly commandeer hundreds of devices into IoT botnets and use them for launching attacks both within and outside of the hosting organization.

In the first annual NETSCOUT Threat Intelligence Report, our researchers noted that IoT botnet authors have used Mirai to build at least five known variants with catchy names. Satori, for instance, leverages remote code injection exploits to enhance the Mirai code. The builders of JenX, in contrast, removed several features from the code and rely on external tools for scanning and exploitation.

OMG was also added to the Mirai legacy. OMG adds a novel feature in the form of an HTTP and SOCKS proxy. This proxy feature allows the infected IoT device to act as a pivot point, which gives the bot author the flexibility to launch additional scans for new vulnerabilities or additional attacks without having to update the original binary. Depending on the type of IoT device and how it is connected, the bot author can pivot to private networks that are connected to the infected IoT device. In other words, an organization’s own IoT devices can be used against them as they to launch attacks within their network towards their assets.

Another variant, Wicked, appeared in May 2018, targeting Netgear routers and CCTV-DVR devices. The newest spawn of Mirai is IoTrojan, which exploits a remote code execution vulnerability in Huawei HG532 routers.

Reaper partially borrows some Mirai source code, but is significantly different from Mirai in several key behaviors, including an evolution that allows Reaper to more stealthily enlist new recruits and more easily fly under the radar of security tools looking for suspicious activity on the local network.

Leveraging and modifying open source malware is not new and only limited to Mira. For example, last month, the VPNFilter IoT malware took the game up a notch after infecting half a million routers across 54 countries. VPNFilter – which affected Linksys, MikroTik, NETGEAR, TP-Link and QNAP network devices and borrowed from the previously-observed Black Energy malware attributed to Russian hackers. 

The goal of the VPNfilter malware is not to simply use the compromised IoT device to launch a DDoS attack. The VPNFilter malware is much more sophisticated as it uses multiple third stage operations after the initial infection. One such function of VPNFilter is to conduct a classic man-in-the-middle attack by ‘sniffing’ network data on a network connected to the infected device, and gather credentials, supervisory control and data. The data is then encrypted and exfiltrated via a Tor network. It can also serve as a relay point to hide the origin of subsequent attacks.

As IoT devices continue to multiply, we can expect IoT botnets to flourish, become weaponized and spread like a gruesome mold; to be used by not only your run of the mill hacktivists but well-organized nation-state APT groups. At a minimum, it is critical for operators of IoT networks to establish policies and follow best practices around patches and updates to seal off the most basic device vulnerabilities. Beyond that, recognizing the enormous power IoT botnets are capable of, security professionals need to have pervasive visibility into all corners of their networks and deploy multi-layered DDoS defenses capable of detecting and thwarting both stealthy and brute-force attacks. Teams should also have a global threat intelligence resource to better understand the IoT botnet phenomenon and recognize the characteristics of a campaign taking shape.

Just as drug chemistry has yielded both life-saving miracles and deadly narcotics, the open source movement has not been without negative consequences, however unintended. Bad actors are as clever as they are malicious and will employ any means available to exploit the networks on which commerce and everyday interaction increasingly depend. Vigilance and a powerful defense posture are essential to protect against the growing IoT botnet threat.