Code driving Internet Of Things botnets: What You Need To Know Right Now

Internet of Things devices are at great risk.

If there is one thing we are certain of then it is that Internet of Things devices are increasing in number.

Rather rapidly.

They are growing and hence that means more and more hackers will come after their users.

Of course, the more the number of devices, of any type, the more hackers it will attract.

This is the case with Internet of Things as well.

Just recently, hackers did the impossible.

Or so they thought impossible.

Hackers launched a record-breaking and a massive Distributed Denial of Service cyber attack.

On who?

On a France-based web hosting provider by the name of OVH.

This Distributed Denial of Service attack reached well over the one Terabits per second mark.

And guess what?

Hackers used a huge botnet which consisted of infected Internet of Things devices.

This is how they carried out their DDoS attack.

But if you really think about it, this DDoS attack shouldn’t come as a surprise to anyone.


Because the number of DDoS attacks has increased rather rapidly in the past couple of years.

Moreover, some hackers have also released the relevant source code for some really nasty Internet of Things botnet.

Researchers believe that hackers used this botnet to carry out the largest Distributed Denial of Service attack the world had ever experienced.

With this, now anyone with a little bit of computing skills can build his/her own Internet of Things mega-botnet.

The hacker we want to talk about in this post has the pseudonym Anna-senpai.

This is the hacker that released the Internet of Things botnet source code.

Additionally, we also know that this massive botnet controlled millions of infected Internet of Things devices.

Some call these infected Internet of Things devices as zombie devices.

This botnet brought massive devastation to KrebsOnSecurity.

KrebsOnSecurity is a well-known security website.

Brian Krebs is the man that operates that site.

And he is an independent security researcher.

He is also a blogger.

Media reports have revealed that a hacker used an Internet of Things Botnet source code to execute a large Distributed Denial of Service attack against KrebsOnSecurity’s computer servers.

The Internet of Things botnet reached a phenomenal request rate of 620 gigabits per second.

What this basically means is that hackers threw a large number of bogus Internet traffic on KrebsOnSecurity servers.

And in the process, pummeled the website.

Fortunately, Krebs spotted the massive leak on HackForums, a forum specially made for Hackers.

It took him a day though.

Anna-senpai had already posted the source code on a website on Friday.

Perhaps, the only thing Krebs did successfully was to confirm the new that it was indeed a malicious piece of software that brought so much havoc.

The hacker called the malware Mirai.

Krebs confirmed to the media that Mirai caused the massive damage to his website.

He communicated his thoughts and opinions via an official blog post.

You can read that here.

Krebs did not provide further details about the cyber attack.

Regardless, many agencies have tried to contact Krebs in order to have more information on the matter.

We’ll keep you updated as soon as we hear more of this news.

Let’s Talk About The Dynamics Of The Attack.

The Internet of Things devices have spread like wildfire to all corners of the globe.

In other words, let’s talk about how Mirai works and how it infects devices.

Basically, in this case, Mirai brought all that corruption by scouring the online world for unsecured Internet of Things devices.

These are devices such as,

  • Webcams
  • routers

These devices are particularly vulnerable because their protection is weak.

In fact, all that stands in the way of Mirai and these device’s infection is a default password.

Hackers can hack this default password rather easily.

When Mirai infected these devices, it then moved ahead and corralled these Internet of Things devices into a big sprawling network.

Hackers, disguised as administrators, usually control this network.

Then they use this network to blast important websites.

Most of the time though, they destroy whoever they feel like destroying.

The hackers behind this massive Distributed Denial of Service attack also claimed that they dumped the code because it had become a liability.

In other words, the source code now attracted a lot of attention from unwanted players in the industry.

What Is The Deal Behind The Source Code Release Story?

Hackers are not exactly saints.

Far from it.

So, it doesn’t make sense that they would release the source code for their malware into the wild like that.

What we think is that such an action would help them spread the Mirai malware.

Out in the open, there is a greater chance that some new hacker would pick up the source code.

And launch his/her new DDoS attack.

Moreover, this helps the original hackers to mask their identity.

Investigators can’t catch the originators of the malware because so many other hackers are using it.

Hence, if hackers release a source code for their malware, which they did in this case, then investigators have very little to pick and chew on.

Anna senpai, the original hacker who dumped the source code, wrote in a report that when he entered the DDoS industry, he didn’t plan on staying in this industry for long.

He said that he had made his money a while back.

But now, security agencies and companies had their eyes on Internet of Things a lot more than before.

So, according to Anna senpai, his time to GTFO of this business had come.

He used a lot of slangs in his original post, we’re just translating what he actually said.

Plixer director of IT and services, Thomas Pore, said that how network monitoring firm had a slightly different opinion on the DDoS attack and its source code distribution act.

He said that the DDoS had these folks called botmasters.

These botmasters have a real entrepreneurial spirit in them.

In other words, they are not afraid to rent out their botnet networks for other hackers.

And senpai’s action of distributing the botnet source code must come as a gift for all new hackers.

Why Will Senpai’s Release Help Hackers?

Because hackers can now enter the highly lucrative industry of DDoS attacks.

And then can offer DDoS attacks as a service.

The chief security officer at Level 3 Communications LVLT (which is a telecom provider that is based in Broomfield Colo), Dale Drew told the Fortune magazine something thought provoking.

He said that the released source code should come as bad news for everyone.

Because it will enable a huge surge in botnet operators.

These bot operators will then use this code to launch a new big surge in small business and consumer Internet of Things compromise attacks.

The Hacker Has A Message For Everyone

Hackers are using new malware to attack reputed websites.

The hacker who released the source code also said that internet service providers had started to clean up their act and had shut down some infected devices and websites.

But they started to do that only after the Krebs DDoS attack.

He also told the media that botnet network had decreased in size.

Now it only had 300,000 infected Internet of Things devices.

At its peak, the network had over 380,000 Internet of Things devices.

Who Saved Krebs?


More like, Google cleverly swooped in just in time and saved Krebs devastated website.

Since last week, Akamai, the cloud service provider, had protected Krebs from the huge Distributed Denial of Service cyber attack.

Moreover, it did that without charging any extra money.

But after a week, Akamai dropped Krebs.

The global product manager at HPE, Reiner Kappenberger, said that the current lack of proper guidance was a problem.

He also said that lack of regulation was also a problem.

Specifically when it came to Internet of Things device security.

And it is one of the biggest if not the biggest problems in the industry.

He said the reason why we saw so many breaches in the Internet of Things space is that of lack of security features.

Furthermore, he added, that new companies that entered this space needed to think long and hard about the long-term impact of their Internet of Things devices.


More Details On Command And Control Center

hackers know that the Internet of Things world is here. And they are preparing for it with more nasty malware.

If you have followed this news over any considerable period then you must have thought to yourself:

How did Level 3 Threat Research Labs manage to identify several command and control servers?

Well, each botnet has a number of associated command and control servers.

Level 3 Threat Research Labs obviously knew this as well.

And it used several machine learning techniques to analyze the latest and the biggest Distributed Denial of Service attack.

It then used susceptible Internet of Things devices to trace the command and control servers.

Additionally, the research lab identified, some IP addresses pointed to some interesting domain names.

These domain names contained the text

As some of our readers know, the .cs prefix is a top level domain of a place called Christmas Island.

Moreover, some domains had a prefix by the name of “report” and “network”.

This denoted these domain names’ roles in the overall scheme of the IoT botnet.

Hackers Sometimes Play With Security Firms

One time, as a potential challenge to security firms, hackers had an interesting name for one of their domains.

Security firms resolved an IP from one of the related network’s command and control center.

But instead of having the usual, it had the domain

Security firms queried DNS record and easily enumerated the relevant command and control center Ip addresses.

You can search the internet for a full table which discusses the domains that hackers used.

Structure Of This Mean Botnet

Level 3 Research firm identified and enumerated Mirai’s infrastructure by doing the following:

They analyzed Mirai’s communication patterns.

More specifically, they did so for Mirai’s command and control center IP addresses.

With the help of this earlier analysis, Level 3 later confirmed that hackers had released Mirai’s source code.

One other interesting thing to note here:

Mirai’s initial infrastructure did not seem this simple.

Back then security experts considered Mirai’s infrastructure as complex.

At least more than the various other variants that Layer3 had analyzed earlier.

You can search Google for the diagrams that outline the basic functionality of Mirai.

These diagrams also show you how its individual components function.

More On IoT Bots

You must have heard about the gadget malware family?

Just like that one, Mirai also has an affinity for Internet of Things devices.

Most, in fact, the vast majority, of such Internet of Things bots are DVR devices.

We think, more than 80 percent of Botnet devices are DVRs.

The rest are other IoT devices such as routers and some other miscellaneous devices.

These include,

  • IP cameras
  • Linux servers

Most of the time, these Internet of Things devices operate with default passwords.

And that’s a problem.


Because Bot herders can guess these passwords rather easily.

Security experts have also found, from the source code, that Mirai does another very interesting thing:

It has these scanning protocols.

These protocols utilize a big list of device-specific and generic login credentials.

Then, Mirai can use these credentials to gain unrestricted access to susceptible Internet of Things Devices.

What is The Next Step for Malware Codes?

By now, we all should know that Malware builds botnets out of Internet of Things devices.

Moreover, Mirai has infected twice as many Internet of Things devices after the hacker released its source code.

As you know, the hacker released it on a public forum.

So a lot of hackers and wannabe hackers would have access to it by now.

Latest reports suggest that Mirai malware has infected 493,000 Internet of Things devices.

Before hackers had released the source code, Mirai had infected 213,000 bots.

Hackers released the source code on October 1.

That is according to Level 3 Communications which is an internet backbone provider.

Level 3 representatives also said that the actual number of bots is likely higher.

Hackers Aren’t Just Sitting Idle

In other words, after releasing the Mirai source code hackers have developed new variants of Mirai malware.

Level 3 Communications revealed that the security firm had identified four supplementary command and control servers.

All four of these Command and Control server had an association with Mirai malware.

Moreover, all four came online just this past month.

Level 3 Communication also observed that half of the infected Internet of Things devices resided either in Brazil or in the US.

As mentioned before, DVR machines made up 80 percent of the total infected IoT devices.

Hackers like to launch Mirai botnet DDoS attacks against residential IP addresses and game servers.

Moreover, according to Level 3, Artificial Intelligence is no longer considered a buzzword.

Neither is it considered a future attraction.

Artificial Intelligence is here and is poised to change the world.

Most think that it will do so for the better.


Because it has a tremendous potential to augment human capabilities.

Vendor Have Their Role As Well

Some vendors have come up and have said that users should take measures to mitigate Mirai risk.

These vendors produce a massive number of IoT devices, so it makes sense that they should advise people.

Encouraging customers to adopt clean online habits is the first line of defense against malware.

One vendor, Sierra Wireless, has come out and issued an official bulletin.

The company has advised users that they should go ahead and reboot their devices.

Then, they should change their IoT device’s default password.

All of that is great.

But other vendors have to join the effort too.

Right now, we don’t know of too many vendors that are doing the same.

If vendors don’t want their customers to go to their competitor, then they have to guide them against Mirai.

Flashpoint, which is a security firm, recently identified another company by the name of Hangzhou Xiongmai Technology that did not have sufficient protection against Mirai.

And hence Mirai could infect the company’s DVR devices, experts have warned.

Right now, experts say that about half a million devices are currently at risk.

They are vulnerable because users can’t change their default passwords, says Flashpoint.

What Are Other Security Challenges And The Recommendations Regarding Internet Of Things Devices?

Smart devices are finally at a point where the mass market is adopting them.

The industrial and home usage of smart devices has increased exponentially.

This has lead to a huge ecosystem built with Internet of Things devices.

Along with the ecosystem, comes all its data.

This data has to embed itself into these devices and then allow these devices to synchronize with each other.

All of this also means that smart devices are vulnerable.

They are vulnerable to exposed APIs.

Third-party platforms that roll out these APIs can certainly control these IoT devices.

The fact that most of the Internet of Things projects are independent doesn’t help matters.


Because independent projets mean beginner developers.

It also means less experienced personnel working on these IoT devices.

Hence, we have a large number of IoT devices which are poorly designed.

These less experienced developers can’t implement multiple technologies well.

Hence their products have a complex configuration system.

This is exactly what leads to new challenges as far as security issues are concerned.

Some of these challenges are:

  • Customized interfaces and applications that are prone to unauthorized access
  • Issues such as spoofing, Man in the Middle attacks. Other such network attacks.
  • Malicious internet traffic that compromises the security and privacy of communications over the internet.
    These communications always originate from the user’s device and hence are susceptible to an attack.



Now we will discuss the recommendations that devices such as Raspberry Pi must implement.

These recommendations come in the form of security controls.

Users should implement these on all their home smart devices.

  1. It is necessary that vendors implement, what experts call, layered security protections.
    Along with these, vendors should also use security gateways.
    This is one of the best ways to defend Internet of Things devices.
    Vendors should also provide abilities such as control, audit and inspect as far as communications that go into and out of the network are concerned.
    This is essential as the complexity, variety, and the number of connected IoT devices increases.
  2. Firewall
    Firewalls are important if one wants to restrict services and ports
  3. Intrusion Detection Systems which block most, if not all, of the malicious traffic that is coming in from the internet.
  4. File Integrity Monitoring system which identifies unauthorized modifications in the file system.
    Such as system must also be provided for IoT devices.
  5. IoT devices should implement a strong authorization and authentication mechanisms.
  6. IoT devices must log all key events.
    This helps to identify unknown and sometimes unwanted modifications and access to these devices.
  7. Users and vendors alike, must not log sensitive information on the device.
  8. Disable any and all non-essential IoT devices’ services.
  9. Only make use of secure protocols.
    Right now, these come in the form of SSH and HTTPS.
    These protocols are special in the sense that they are designed to support strong authentication and encryption.
  10. Facilities such as IoT management hubs and Internet managed services should be made secure.
    Choosing a service or hub that enables multiple IoT device management is a tricky business.


Users should know that these services form the central access point through which hackers compromise IoT devices.
Users should look for a built-in but robust security capable IoT device.
Such a device will have minimal problems in integrating itself right into the existing system.





Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.