Internet of Things (IoT) botnets have come a long way since Mirai showed its devastating potential in 2016 with distributed denial-of-server attacks that exceeded in strength anything seen before then.
Myriad malware programs now infect poorly secured or vulnerable routers, IP cameras, DVR recorders and pretty much any type of embedded device that runs some kind of Linux-based operating system.
The past two years, however, have seen the rise of hybrid botnets written in cross-platform programming languages and capable of targeting both embedded Linux devices as well as Android smartphones and traditional computers running Windows or macOS.
Such is the case of InterPlanetary Storm (IPStorm), a botnet that has been around since early 2019 and is currently made up of around 13,500 infected machines from 84 countries.
What makes InterPlanetary Storm special?
What sets this botnet apart from others is that it's built on top of the InterPlanetary File System (IPFS), a protocol for storing and sharing data in a distributed file system. This means the infected devices become part of a peer-to-peer network and talk directly to each other, giving the botnet more resilience against takedown attempts.
"Up until recently, P2P communication on a corporate network could be taken as suspicious activity," researchers from security firm Anomali said in June 2019 in an analysis of the botnet. "In the present day, more and more legitimate services are utilising P2P technology that is slowly creeping into the enterprise space.
"For example, Microsoft Windows 10 has a feature called 'Delivery Optimisation' that delivers updates to machines via a P2P network established by machines connected to the same Active Directory domain. Similar to misusing web services to hide malicious traffic, threat actors misuse legitimate P2P network to hide their traffic.
"In addition to blending with the normal traffic, the botnet is intertwined with the legitimate nodes in such a way making it impossible to take down the malicious botnet without taking down the legitimate P2P network."
IPFS is an open-source project that has seen adoption for a variety of purposes because it allows users to also host data including web pages that can be accessed through a browser. Opera for Android has native support for the ipfs:// protocol handler and Cloudflare runs an IPFS Web gateway for accessing resources hosted on the IPFS network.
Another interesting aspect of IPStorm is that it's written in Golang, a programming language that's cross-platform and can generate write-once code that can run on multiple operating systems and CPU architectures.
The first version of IPStorm detected in 2019 was targeting Windows systems exclusively and had the ability to execute commands and scripts written in PowerShell, a scripting language used for system administration that has become a favourite for malware writers as well.
Researchers warned at the time that the bot can be compiled for other operating systems with ease, and it didn't take long for attackers to do exactly that. In June this year, security firm Bitdefender reported new IPStorm versions compiled for Linux on embedded architectures like ARM or for Darwin, the foundation that underpins macOS. New variants of the bot also target Android devices.
How does IPStorm spread?
IPStorm infects devices by launching SSH brute-force attacks against them. This is a common technique for IoT botnets as many devices come with weak credentials that users never bother to change. Once infected, the systems are configured to act as socks5 proxies, which suggests the botnet creators might rent access to other cybercriminals to proxy traffic through them.
Android devices are also infected through unsecured Android Debug Bridge (ADB) connections. ADB is a command-line interface typically used locally by developers or management tools to perform operations on Android devices.
Android supports ADB over WiFi and while this feature is normally disabled by default, some devices ship with it turned on by default. IPStorm is not the first botnet to target exposed ADB interfaces.
According to a new report from Barracuda Networks, the malware also enables a reverse shell on infected Linux systems that can be used to run bash commands. According to the company, other features observed in the latest versions include honeypot detection, automatic updates, persistence through a service that uses a Go daemon package, and killing other processes such as debuggers and competing malware.
Barracuda researchers estimate that around 60 per cent of devices infected with IPStorm are located in Hong Kong, South Korea and Taiwan. Another eight per cent are in Russia and Ukraine, six per cent in Brazil, five per cent in the US and Canada, three per cent in China and three per cent in Sweden. However, the botnet totals around 13,500 infected machines that are spread across 84 different countries.
How to protect against IPStorm and other IoT botnets?
IPStorm is a clear example why securing internet-facing services like SSH, Telnet, ADB and others is important. Unfortunately, many IoT devices come with insecure configurations by default and it's up to users to lock them down.
Running a port scan on your network can help discover IoT devices with open interfaces. If those interfaces can't be locked down, those devices should not be exposed to the internet and should preferably be isolated into their own network segment.
Special attention needs to be given to routers, because they serve as gateways into networks. Users should change the default credentials, disable over-the-internet administration if not needed, and regularly check for firmware updates. Some botnets exploit known vulnerabilities in routers, not just misconfigurations and weak credentials.