This blogpost was authored by Veronica Valeros (@verovaleros) on April 26th, 2020.
The number of Internet of Thing devices connected to the Internet keeps growing and attackers are not slowing down. Since IoT devices flooded the market, it didn’t take long to realize that they came poorly configured and could be exploited. Attackers quickly adapted and leveraged this new opportunity where they could easily create very large botnets very fast. Which are those botnets? What does the IoT threat landscape looks like? How does this malware behave? How are they different from traditional botnets?
IoT Malware Timeline
In this blog post we would like to share our first version of a Timeline of IoT Malware. We searched information for all mainstream IoT malware families using OSINT techniques, we correlated the information obtained, and attempted to provide a general high level picture of how the landscape looks like right now and how it evolved in the last years. The timeline is show below.
Limitations
This first iteration of the IoT Malware Timeline suffers from several limitations:
Whenever possible, we tried to represent through colored bars the period of activity of each malware. This, however, was very hard to do as there are plenty of reports when a new botnet or malware is found but very few resources available to track their activity. Is for this reason that while many activity bars extend up to today, it may not be accurate and the botnet may no longer be active. We plan to correct this with further research.
Among the almost 50 IoT malware found, there are some that are more relevant. The source code of Bashlite and Mirai was eventually openly available, generating an overwhelming number of variants that different in various degrees with the original. Taking this into consideration, at the moment we
Decided to track only variants that different significantly from the original, or that for some specific reason, were focus of global attention to deserve a mention.
Attempted to illustrate dependencies and family variations using colors, however, this requires further research to ensure is accurate.
It is possible to see that in some cases we were able to add additional information such as targeted systems (Linux), source code language (C, C++, Go), and so on. Unfortunately, the majority of the information available (news articles, blogs, reports), are rarely consistent and do not mention such details. For this reason, enriching the timeline with such details will require further research.
There are some IoT malware families that did not have the media attention as others, and therefore there is a lack for technical details. We currently have 10-12 more IoT families to add that fall into this category.
Conclusion
IoT malware is here to stay, and it’s safe to say that new malware families will be created even faster than before. Our Aposemat project is focusing on the study of IoT malware and how to develop better techniques to protect them and keep them safe. Check our projects, and stay tuned for our upcoming IoT malware deep dives.
Appendix
The table below has the year and Name (and aliases) of the IoT malware included in the timeline.
|Year|Name / Alias | |----|-------------------------------------------------------------| |2008|Hydra | |2009|Psyb0t / NetworkBluePill | |2010|Chuck Norris | |2011|Umbreon / Umreon / Rebonum / Neobrum | |2012|Carna Botnet | |2012|LightAidra / Linux Aidra | |2013|Tsunami / Kaiten | |2013|Linux Darlloz / Zollard | |2014|Gafgyt / BASHLITE / Lizkebab / Torlus / Qbot / LizardStresser| |2014|Spike / Dafloo / MrBlack / Wrkatk / Sotdas / AES.DDoS | |2014|TheMoon | |2014|Zendran | |2014|Linux.Wifatch / Ifwatch / REINCARNA | |2015|Linux Moose / Elan | |2016|VPNfilter | |2016|Mirai | |2016|KTN-RM / Remaiten | |2016|Hajime | |2016|LUABot | |2016|IRCTelnet / LinuxIRCTelnet / NewAidra | |2016|NyaDrop | |2017|Amnesia | |2017|Linux.MulDrop.14 | |2017|BrickerBot | |2017|Persirai | |2017|Satori | |2017|LinuxProxyM | |2017|IoTroop / Reaper / IoTrooper | |2017|Masuta | |2017|GoScanSSH | |2017|Okiru | |2018|UPnProxy / ETERNALSILENCE | |2018|DoubleDoor | |2018|Hide ‘N Seek | |2018|JenX / Jennifer / Jen-X | |2018|Muhstik | |2018|PureMasuta | |2018|Torii | |2019|Ares | |2019|Mozi | |2019|Silex | |2019|Echobot | |2019|Moobot | |2019|Dark Nexus | |2019|Handymanny | |2020|Mukashi | |2020|Rhombus |