Skip to main content

IoTroop botnet: How to protect yourself from the cyber-storm of the century

(Image credit: Image Credit: Wright Studio / Shutterstock)

Almost one year ago exactly, computers across the grid were attacked by a powerful IoT botnet called Mirai. In late September 2016, this botnet emerged in a massive distributed denial of service attack against the website of journalist Brian Krebs, kicking off a chain of similar attacks against everything from the hosting company, OVH, to the internet performance management company, Dyn.

While this bot wreaked havoc on millions of devices, the most frightening aspect about it was that it was unlike anything anyone had ever seen before. This was a new kind of malware that attacked the weak security in many IoT devices. In its attacks, Mirai infected IoT devices that reported to a central control server, manipulating these connections to turn it into a deadly and powerful bot. Exploiting the weaknesses in these devices’ security, Mirai caused outages and slowdowns Internet-connected services across North America and Europe.

Fast forward to October 2017. The threat intelligence research firm Check Point Research reported that its researchers had discovered a huge botnet that was reminiscent of Mirai and could potentially topple the internet as we know it. They dubbed this threat “IoTroop Malware.” According to the researchers’ initial findings, Check Point’s Intrusion Prevention System (IPS) first noticed ominous signs of hackers attempting to exploit a combination of IoT device vulnerabilities in late September 2017. It quickly became evident that the attempted breaches originated from a variety of sources and IoT devices, meaning the IoT devices themselves were spreading the bot.

The IoTroop botnet, which shares an extensive code base with the leaked Mirai source code, stands to cause even more damage than its predecessor. The purpose of this botnet is still unknown, but what we do know is that more than twelve manufacturers’ devices are currently vulnerable, while over 60 per cent of companies have at least one device in their network that is at risk.

How it works

According to Check Point Research’s full investigation, the IoTroop botnet can be broken into several distinct parts, including:

  • Initialisation: During this part of the attack, IoTroop follows a pattern similar to that of Mirai, including obfuscating string initialisation, preventing a reboot by the system’s security system, ensuring only one IoTroop is running at a time, hiding the process’ name, etc.
  • Disabling competitor malware: After the initialisation, IoTroop begins executing its own unique functionality, including killing any open telnet processes using port TCP/23 and scanning the device’s memory for existing strings that are used by other IoT malware, killing them in the process.
  • Vulnerability scanning: The IoTroop botnet generates random IP addresses using a code identical to that of Mirai during this step.
  • C&C communication: The reporting server collects a list of all vulnerable devices after they have been scanned for weaknesses.
  • Controller servers: These infected devices then constantly pull for available commands form the controlling C&C server. Once a command is received, the device parses it to look for “code” as the action to conduct, resulting in either a plain download or a download followed by execution.
  • Downloading
  • Execution

Defending yourself

So what can you do to protect your assets from this or a related attack? All companies should be preparing for an attack like this on their devices through the following critical steps:

  • Know who you’re working with: Gone are the days of connected enterprise devices created in-house by IT departments – with every emerging device becoming smarter and smarter, companies are outsourcing the development and maintenance of these increasingly complex devices to third parties. Because of this, it is imperative that these companies thoroughly vet the vendors that would be installing hardware or software onto their system. Leaving these functions up to the vendor inherently opens a company up to vulnerabilities, so it must ensure that these third-party vendors are reputable, compliant and, above all, careful.
  • Keep systems up-to-date: Companies should audit all existing devices on their network to create a clear, comprehensive picture of their entire defense system. This may seem basic, but it’s often the most rudimentary steps that people overlook, leaving their companies susceptible to a host of threats. Every device should be individually updated and checked that it’s running the most up-to-date defense systems. This is especially important for IoT-connected devices, as the manufacturers of these products are not always clear in communicating updates or threats. Until the producers of these devices develop a more consistent way of communicating with users, the onus is on the IT department to keep these systems up-to-date.
  • Don’t forget the basics: Mirai was able to use relatively simple tactics to attack millions of devices because so many of their default credentials were never changed upon implementation. Again, this is a basic step, but one that can easily be missed. Regardless if a device is connected to a network, it is necessary to regularly change and update its passwords and logins. Not doing this consistently enough leaves the devices susceptible to both large bots and other malicious actors who are looking to target a company and its intellectual property.

Final thoughts

IoT security is constantly developing, but not quickly enough to keep up with the tech. Botnets like Mirai and IoTroop will only become stronger and more effective, so companies must do everything in their power to preemptively build up their defenses. Regardless of the device vendor’s effectiveness at communicating updates and threats, it is always, first and foremost, the company’s responsibility to protect itself and its assets. This means vigilantly scouring for threats, vetting its vendors, keeping systems up-to-date and being sure to cover security basics. At this point, it’s not a question if your company will be threatened in the future, it’s when – and you want to be sure that you are as prepared as possible.

Matthew Mead, chief technology officer, SPR
Image Credit: Wright Studio / Shutterstock

Matthew is the chief technology officer at SPR. He has more than 20 years of experience designing and delivering complex, mission-critical technology solutions using a broad spectrum of technologies. By leveraging industry best practices, mobility, open source initiatives and an agile approach, Matthew works to reduce the cost and risk for large software development initiatives.