Could this be the world's most harmless IoT botnet?

When researchers investigate suspected malware on an IoT device they normally expect to find a cryptominer to earn a hacker digital cash or perhaps botnet code to launch DDoS attacks against websites.

What they probably never expect is to stumble across an entire botnet secretly operating under the radar of security firms for years, with the sole purpose of downloading Japanese anime videos.

The so-called Cereals botnet, created eight years ago, exploits a security vulnerability in D-Link NAS (Network Attached Storage) and NVR (Network Video Recorder) devices to hijack them for its anime-collecting purposes.

As researchers at Forcepoint describe, at its peak in 2015 the Cereals botnet had 10,000 vulnerable devices under its control.

But unlike other botnets it does not appear that its creator was motivated by money, and no attempts were apparently made over the eight years to infect other types of device or exploit other vulnerabilities.

And despite its use of just one vulnerability to hijack D-Link NAS and NVR devices, Cereals was not unsophisticated – it patched systems in an attempt to prevent other attacks from hijacking devices it had infected, and maintained four backdoor mechanisms for accessing and controlling the botnet’s nodes: SSH, RSS, a custom CGI backdoor, and the exploited vulnerability.

All this work, just for an unknown hacker – believed to be based in Germany and using the name “Stefan” – to order his botnet to log into websites, and download Japanese anime videos.

However much you’re into anime, that’s taking your obsession quite seriously.

But Cereals’ activities were not to continue indefinitely.

It suffered a blow in late 2018 when some D-Link NAS devices were hit by the Cr1ptT0r ransomware, which didn’t just encrypt users’ data but also disrupted Cereals use of the same hijacked devices. The threat posed by the Cr1ptT0r ransomware was such that D-Link released firmware updates for some affected devices.

So, might this be the world’s most harmless IoT botnet?

Perhaps. It is, at the very least, refreshing to hear about a botnet that is not written with apparent malice in mind and appears to be more of a ‘hobby’ project for its creator.

But “most harmless” is not the same as completely harmless. Cereals didn’t ask for permission before installing itself onto those D-Link NAS and NVR devices, and even if used sparingly it will have gobbled up some resources both from the infected user’s IoT device and their bandwidth. And what of the websites and copyright holders who had their videos downloaded by the technologically-savvy anime fan?

Just because something can be done doesn’t mean that it should be done. The Cereals botnet may not have been created with the intention of extorting money or defrauding users, but it still isn’t something you want to have running on your devices without your knowledge and permission.