New tricks make botnets volatile in nature; keep safe

Although IoT botnets have gained infamy for launching denial-of-service (DoS) attacks, they can serve other purposes as well, or none at all. The number of individual devices in a botnet can swell to tens or hundreds of thousands, or dwindle to a quarter of the peak very quickly.

Botnets can targets more than one type of device, as long as the malicious code is compatible with the hardware components it attacks. Also, the operators can add multiple methods to compromise insecure systems across the world. The shifting nature of botnets makes it tough to predict their evolution, but you can be sure of nefarious motives behind their creation.

A botnet that has been around since at least 2014 and appeared to have concluded its business re-emerged on the radar last year with a bag of new tricks that expanded the business and made it more covert: instead of launching loud DoS attacks, the botnet used infected devices as intermediate nodes for malicious traffic.

The IoT botnet, dubbed TheMoon, developed and adapted by targeting broadband routers from vendors such as Linksys, Asus, MikroTik, D-Link. The compromise was possible via commonly published exploits, say the researchers at communications provider CenturyLink. The operator apparently aimed to hijack vulnerable devices and rent them and their power to bidders.

The researchers say clues point to the conclusion that the botnet operator sold to malicious actors who used it for “credential brute forcing, video advertisement fraud, general traffic obfuscation and more.” They added that TheMoon can “run any additional payload,” so it can advance its capabilities in time.

Efforts to minimize risk to users are often met by vigorous attempts to restore the botnet to its former glory. CenturyLink managed to block TheMoon infrastructure on their network, decreasing the threat. But the malicious actor is expected to regroup and resume business after adding new exploits for existing vulnerabilities.

One example of fighting non-existence is Hide and Seek, a botnet Bitdefender discovered on Jan. 10, 2018, and tracked ever since. Its purpose continues to puzzle the researchers, as they could not find a motive behind it despite having infected over 90,000 unique devices and receiving updates that allow it to maintain an army of thousands of devices.

Hide and Seek has no command and control center, and requests propagate from an infected device to another, making it more difficult to stop. Furthermore, it has persistence on the device, which means you cannot get rid of the infection by rebooting it, as is possible with most IoT botnets.

Despite these advanced features, Hide and Seek remains volatile in numbers: at one point, its strength dropped by about 80%, and a week later there were signs that its operators were trying to regain the lost infections.

There is no clue explaining the blow sustained by Hide and Seek, but to stay on the safe side, make sure your connected devices run the latest firmware version from the manufacturer. You can also turn to a professional security solution to inform you of the vulnerabilities that affect the IoT gadgets on your network and deliver protection against exploit attempts.

Image credit: qimono