Researchers warn of ‘vast’ new IoT botnet

Check Point Technologies and Qihoo 360 see a botnet coming that could cause more damage than Mirai.
(Getty Images)

Hackers have been assembling a very large botnet consisting of internet-connected devices, mainly webcams and home routers, which they’ll soon be able to use in massive denial-of-service attacks, according to new research.

Researchers from Israeli firm Check Point Technologies say they are seeing activity from infected devices in 60 percent of the networks that use their ThreatCloud product.

“In just the last two days, we have seen more than 20,000 IP addresses scanning,” meaning the device at the address is infected, Group Manager for Threat Intelligence Maya Horowitz told CyberScoop Friday.

Researchers from NetLab, the security research arm of Qihoo 360, said in a blog posting later that day that just one of the multiple command and control, or C2, servers they were monitoring was controlling 10,000 infected devices.


Given that only a few hundred networks use the ThreatCloud product, she said, “That’s a very small sample size for those numbers,” indicating that “many, many tens of thousands” more infected devices are likely out there.

By comparison, Mirai, which knocked Internet infrastructure provider Dyn offline Oct. 21 last year, was about 100,000-strong. Mirai used its infected IoT devices to launch distributed denial or service (DDoS) attacks — the largest ever seen at that point.

Horowitz said the new botnet, which Check Point researchers have christened IoTroop, is “the fastest growing I’ve seen” since Mirai.

Each infected device is given a list of IP addresses to scan for other vulnerable devices by its C2 server, said Horowitz. “When the scan is complete, the device sends the results back to the C2, telling it where there are more vulnerable devices,” she added.

The Netlab blog — which christens the malware IoT_reaper — says that the C2 servers carry a loader which injects the malicious code into vulnerable devices identified by those scans. They report that over two million IP addresses of potentially vulnerable devices were queued on one C2 server, waiting to be injected.


Researchers at Check Point also published a blog post analyzing some IoTroop code Thursday. “Our research is still ongoing,” said Horowitz, adding that the company wanted to get the news out as quickly as they could. “Fortunately this time we are lucky enough to spot this while they are still recruiting their army,” Horowitz said, not after they launch their attacks.

Although the IoTroop malware uses some Mirai source code, she said, “It is much more complex and more effective” than Mirai. “There are over 100 functions in the malware,” she said, “We are still trying to analyze it all.”

Unlike Mirai which relied on a single attack vector — default passwords — IoTroop uses more than a dozen vulnerabilities including CVE-2017-8225, which was used by the Perisai botnet earlier this year.

Netlab researchers note that four of those vulnerabilities were loaded into the botnet code in just the last few days, including one that was incorporated only 48 hours after first being made public. They say the code authors have also integrated the Lua programing language “so more complex attacks can be supported and carried out.”

They add that the Lua code contains embedded DNS data which is likely part of the preparation for a DNS reflection DDoS attack.


“For now, what we’re seeing is a few types of webcams and home routers [being targeted] … but this list is potentially only partial because …. we don’t have a full picture of the attack flow yet,” said Horowitz.

This story was updated Monday with new information from a blog posting by NetLab, the security research arm of Qihoo360.

Latest Podcasts