Juniper Research predicts that the total number of IoT connections will reach 83 billion by 2024, representing a growth of 130% over the next four years. The industrial sector is expected to account for more than 70% of the connections in that period. Mirroring this growth in devices, new and modified IoT botnet threats are one of the fastest growing categories of threats in the we’ve seen this year.
While the technical root causes are the same, the impact of an IoT botnet attack on consumer versus enterprise and industrial devices is vastly different. An attack on a consumer gadget could be limited to a privacy issue, whereas the effect of a successful breach on a commercial device can have a significant production or safety cost. That’s why it’s more critical than ever for IT and OT security professionals to understand and be prepared to defend against this growing threat.
Botnets are Evolving
A botnet is a collection of internet-connected machines, typically thousands of individual computers or devices, that malicious operators infect with malware to damage or control computers, systems and networks. The threat actors who deploy them use peer-to-peer (P2P) botnets to build a platform that later can be used to carry out malicious operations, such as large scale Distributed Denial of Service (DDoS) or mining for crypto currencies.
Early generation botnets followed a client-server model for command and control (C&C), making use of popular protocols like IRC and HTTP, or implementing custom ones. However, the simplicity of this architecture offered little resilience.
One of the first countermeasures taken by botnet operators to address this weakness involved relying on so-called bulletproof hosting. In laymen’s terms, it meant finding a hosting provider willing to turn a blind eye to client activity.
A second, often complementary solution involved using Domain Generating Algorithms (DGAs) as failsafe for situations where the C&C became unreachable. This technique consists of embedding an algorithm within the bot to generate a series of domains that the malware attempts to contact. The botnet operator needed to register only one of these domains to make it reachable to the bots.
This new situation where the C&C could change over time also meant that each and every bot required a strategy to verify the identity of the controller. To avoid hostile takeovers, botnets started relying on digital signatures to validate each command received from the network or configuration update.
The need for increased takedown resistance eventually drove botnet operators to adapt and explore peer-to-peer approaches. A further evolution consisted in using a hybrid model, rather than opting for a pure peer-to-peer model. In a p2p hybrid network topology some nodes have special roles but at the same time the botnet can survive a takedown of such nodes and reorganize itself accordingly.
Peer-to-peer botnets are difficult to disrupt
In general, it can be quite challenging to disrupt the malicious activities of peer-to-peer (P2P) botnets. Take for example the effort coordinated by Microsoft in March. The company called on its technical and legal partners in 35 countries to disrupt Necurs, a popular hybrid peer-to-peer botnet.
By analyzing the algorithm Necurs used to systematically generate new domains, Microsoft was able to accurately predict the 6+ million unique domains that would be created within the next 25 months. Microsoft reported these domains to their respective registries worldwide, allowing the websites to be blocked and preventing them from becoming part of the Necurs infrastructure. By proactively getting in front of Necurs, Microsoft was able to significantly disrupted the botnet.
While this type of dismantling of a peer-to-peer botnet might not be feasible for the average organization, there is still a lot that the security team defending your network can do.
Start by considering the three main phases where botnet typically leave behind a lot of network artifacts:
- Bot deployment: this is where the bot is deployed into a target system member of the network, for instance through an exploit or by brute-forcing the credentials
- Communication with the peer-to-peer botnet: this occurs during peer discovery, configuration updates and commands reception
- Malicious activity: the actual malicious activity the botnet was created for, such as sending spam, distributing ransomware or bot propagation towards other systems
Then, use the right tools to detect and disrupt botnet activity. Here are some practical examples to better understand these concepts.
DDG botnet
DDG is a mining botnet that has been extensively documented by the researchers at 360 Netlab. While DDG originally used DNS for command and control, it now uses a hybrid peer-to-peer model to control the nodes in its network. Its method of infection involves brute-forcing the root user’s password against SSH servers using a significantly large wordlist, or using exploits against Redis, Nexus Repository Manager and Supervisord.
One of the first noticeable anomalies occurs when DDG receives its configuration from a super node — as you can see in the screen shot below, it leverages HTTP on non-standard ports. Another interesting characteristic that can be useful in tracking down DDG is the use of a domain that was never resolved through the DNS, in the HTTP host header. Understanding this, operators can use snort rules too search for and detect DGG\ activity.
DDG leverages HTTP on non-standard ports.
FritzFrog botnet
FritzFrog is another example of a recently discovered peer-to-peer botnet. It is written in the Go programming language and relies on SSH credential brute-forcing as its propagation mechanism. The rate at which it is targeting SSH on standard and non-standard (2222) TCP ports makes FritzFrog a pretty noisy bot.
You can detect FritzFrog before it finds an open SSH server where it will try several credentials. The raw number of connection attempts alone are enough to detect it, as you can see in the screenshots below.
The raw number of FritzFrog botnet connection attempts are sufficient to detect its anomalous OT network behavior.
Mozi botnet
The Mozi malware family makes use of a custom P2P protocol built on top of Distributed Hash Tables (DHT) in order to build a network of infected nodes. DHT is typically used by BitTorrent clients to identify peers using a key (infohash), so at first glance, Mozi’s communication can hide among what looks like normal DHT traffic. Additionally, to bootstrap the overlay network Mozi relies on well-known BitTorrent nodes, such as router.bittorrent.com as showed in the screenshot below.
Mozi botnet attempts to guess credentials initiate a number of connections to hosts not previously seen in the network, leaving a noticeable trail.
There are ARM and MIPS variants of the Mozi malware and like most botnets targeting IoT devices, it uses weak Telnet credential brute-forcing as a way to propagate. Additionally, a number of exploits affecting IoT devices such as CCTV, DVR, NVR and routers are included as a supplemental infection method.
These HTTP requests format strings are a subset of the exploits that Mozi samples include and use. Specifically, these malicious requests target CCTV/DVR RCE, MVPower DVR Shell Unauthenticated Command Execution and Vacron NVR RCE.
It’s not trivial too investigate the communication with the peer-to-peer botnet through DHT in a network where DHT is allowed. However if you do, you will find it leaves a noticeable trail as it attempts to guess credentials and initiate a number of connections to hosts not previously seen in the network.
Make botnet defenses a part of your cybersecurity practice
As businesses become more reliant upon IoT, we can expect that botnet activity will also evolve and growth. And while they can be tricky to defend against, by their very nature, botnets leave behind a lot of information that security defenders can use to track them and prevent future attacks. What’s important is ensuring your security practice incorporates a plan to address botnets. Understand their implications so you can identify which security measures to take. Then chose the right tools – and community resources to detect and disrupt future botnet activity.