What is a botnet? When armies of infected IoT devices attack


A botnet is a set of internet-connected devices that an attacker has compromised. Botnets act as a force multiplier for individual attackers and cyber-criminal groups looking to disrupt or break into their targets’ systems. Commonly used in distributed denial of service (DDoS) attacks, botnets can also take advantage of their collective computing power to send large volumes of spam, steal credentials at scale, or spy on people and organizations.

Cyber-criminals build botnets by infecting connected devices with malware and then managing them using a command and control server. When an attacker has compromised a device on a specific network, all the vulnerable devices on that network are at risk of being infected.

A botnet attack can be devastating. In 2016, the Mirai botnet shutdown a large portion of the internet, including Twitter, Netflix, CNN and other major sites, as well as major Russian banks and the entire country of Liberia. The botnet took advantage of unsecured internet of things (IoT) devices such as security cameras, installing malware that then attacked the DYN servers that route internet traffic. The graphic below from Distil Networks’ 2019 Bad Bot Report provides an overview of what the different types of bots can do.

What the industry should do? Wake up, and device manufacturers, regulators, telecom companies and internet infrastructure providers should work together to isolate compromised devices, take them down or patch them, and make sure that a botnet like could never be built again. But none of that happened. Instead, the botnets just keep coming.

Known Botnets


Even the Mirai botnet is still up and running today. According to a report released by Fortinet in August 2018, Mirai was one of the most active botnets of that year.

Botnet is being used to allow attacker’s to use victim’s computer hardware and electricity to earn Bitcoin, Monero and other cryptocurrencies. “That’s the biggest thing that we’ve been experiencing over the past few months. The bad guys are experimenting with how they can use IoT botnets to make money.” Said Tony Giandomenico, Fortinet’s senior security strategist and researcher.

Reaper (a.k.a. IoTroop)

Mirai is just the start. In fall 2017, Check Point researchers discovered a new botnet, variously known as “IoTroop” and “Reaper,” that is compromising IoT devices at an even faster than Mirai. It has the potential to take down the entire internet once the owners put it to work.

Mirai infected vulnerable devices that used default user names and passwords. Reaper goes beyond that, targeting at least nine different vulnerabilities from nearly a dozen different device makers, including major players like D-Link, Netgear and Linksys. It’s also flexible, in that attackers can easily update the botnet code to make it more damaging.

According to research by Recorded Future, Reaper was used in attacks on European banks this year, including ABN Amro, Rabobank and Ing.

Botnet can’t be stopped

When consumers go into a store to buy a security camera or other connected device, they look at features, they look for recognizable brands, and, most importantly, they look at the price.

Security isn’t considered a top consideration. “Because [IoT devices are] so cheap, the likelihood of there being a good maintenance plan and fast updates is low,” says Ryan Spanier, director of research at Kudelski Security.

Meanwhile, as people continue to buy low-cost, insecure devices, the number of vulnerable end points just keeps going up. Research firm IHS Markit estimates that the total number of connected devices will rise from nearly 27 billion in 2017 to 125 billion in 2030.

There’s not motivation for manufacturers to change, Spanier says. Most manufacturers face no consequences at all for selling insecure devices. “Though that started to change in the past year,” he says. “The US government has fined a couple of manufacturers.”

For example, the FTC sued D-Link in 2017 for selling routers and IP cameras full of well-known and preventable security flaws such as hard-coded login credentials. However, a federal judge dismissed half of the FTC’s complaints because the FTC couldn’t identify any specific instances where consumers were actually harmed.

How to detect botnets: Target traffic

Botnets are typically controlled by a central command server. In theory, taking down that server and then following the traffic back to the infected devices to clean them up and secure them should be a straightforward job, but it’s anything but easy.

It is difficult to stop and detect botnets. Imagine a company having thousands of IoT connected on his network. Most of the time to fix an issue or vulnerability you need to patch one by one. Some are in remote locations.

Often, there’s no remote upgrade option. Many security cameras and other connected sensors are in remote locations. It’s a huge challenge to fix those things.

This story, “What is a botnet? When armies of infected IoT devices attack” was originally published by CSO