Evolving Threat from Botnets, IoT Zombies


Today, one of the fastest growing and nefarious bots include those that exploit Internet of Things (IoT) devices as weapons of attack. These bots are rapidly changing the threats landscape. The Mirai attacks in 2016 demonstrated what can happen when hackers deploy a bot army to take control of insecure IoT devices. Yet, those kinds of attacks may no longer be the worst-case scenario.

Recently new type of bot- the BrickerBot has been discovered which aims to “protect” already infected devices through Permanent Denial-of-Service (PDoS). That’s right: To ensure that infected IoT devices won’t be drafted into an IoT botnet, BrickerBot completely shuts them down. They become nothing more than “bricks”, devoid of both utility and value. Make no mistake: This will be an ongoing tale as threats and detection and mitigation solutions continuously change.

The year 2016 brought attacks on Krebs, OVH and Dyn by the IoT botnet known as Mirai. Mirai was neither the first nor the most sophisticated IoT botnet, but it was highly effective in taking down its targets. These attacks represented a milestone in IoT botnet and DDoS history and served as a wakeup call to anyone responsible for safeguarding networks, systems and data.

Mirai prompted an inflection point in the IoT and DDoS threat landscape. However, it was a number of other trends and forces that enabled Mirai’s “success:” large numbers of unsecure, connected devices, dependence on the cloud among businesses and individuals, and a thriving hacker economy that offers convenient access to a host of inexpensive tools for launching DDoS and other cyber-attacks.

Let’s take a closer look at this “perfect storm” of trends that have fueled risks and are poised to raise the stakes even higher:

IoT Devices: Rapid growth

The term “Internet of Things” was coined in 1999. It wasn’t until 2014-2015 that IoT reached its own inflection point, with component costs falling and business and consumer demand accelerating. From light bulbs and washing machines to medical devices, a growing array of “things” connected to the Internet. Meanwhile, machine-to-machine solutions started going mainstream.

By 2016, the number of connected things was nearly double the number of connected users and the volume of connected devices grows much more quickly than the Internet population. Depending on which source is consulted, the number of IoT units installed could reach as many as 20 billion by 2020

So, what makes IoT devices desirable targets for cyber-attacks? It comes down to four main factors:

- Stripped-down OS: These devices often run on the Linux operating system—but use an embedded or stripped-down version that is comparatively easy to compromise with malware.

- Unfettered access: When “things” are Internet accessible, their access is usually unfettered by filtering or limitations on bandwidth.

- Lack of basic security: With their barebones OS and processing power, these devices simply don’t have enough capacity for standard security capabilities like auditing. The result? Device owners won’t even notice most compromises.

- Reused components: Device manufacturers often reuse portions of hardware and software in various devices. Though intended to save engineering time, this practice also results in default passwords and vulnerabilities being shared across not just device classes, but also manufacturers.

 Cloud Migration And Emerging Serverless Computing

As more businesses migrate to the cloud, more core applications are hosted in public clouds, continuously increasing the number of targets available for attackers. As the world moved from virtualized machines (Infrastructure-as-a-Service) to applications (Software-as-a-Service), the next big thing will be serverless computing (Function-as-a-Service).

Serverless computing/FaaS is really just the natural evolution of the API economy, which is already upon us. As hyper-scale cloud applications came to leverage micro-service architectures, the API economy is about externalizing these internal micro-services as publicly consumable APIs. As serverless computing sets in, more cloud applications will become inherently dependent on a multitude of APIs. That, in turn, will give rise to a complex, interconnected world of functions—a level of interdependency that exceeds even those that made it possible for the Dyn attack to inflict collateral damage.

In short, turning a single point of public access to a cloud application into a modular set of functions will increase the number of targets. Further, it will increase the blast radius of a single compromised function or service from a few to many impacted services and businesses. It gives attackers more to shoot at—and bigger payoffs when they hit their targets. 

Maturing Of The Hacker Economy

Today there are vibrant online marketplaces where just about anyone—even those with very limited technical knowhow—can buy tools to execute an attack. Cryptographic currencies enable untraceable digital payments, while old-fashioned economics is driving the growth of these marketplaces. Demand for services now outpaces supply, and DDoS-as-a-Service providers can bring in more than $100,000 annually.

Purchasing an attack can be surprisingly inexpensive. On the Clearnet, for as little as $19.99 a month, an attacker can run 20-minute bursts for 30 days utilizing a number of attack vectors like DNS, SNMP, SYN and slow GET/POST application-layer DoS attacks. All an attacker has to do is create an account, select a plan, pay in Bitcoin and access the attack hub to target the victim by port, time and method. More advanced and larger botnets are also available for sale on the Darknet.2

What motivates people to pay for attacks? There are three primary drivers:

Profit- Launching ransom campaigns is a way to make quick money.

-Distraction- In a multi-vector attack, a DDoS attack provides a valuable smokescreen to hide more targeted attacks and/or data exfiltration.

Disruption and defacements- Other attacks are launched by hacktivists that are seeking to apply heat to organizations with whom they disagree—or by organizations looking to take down their competitors.

Bot Basics: The Good, The Bad And The Botnets

What’s A “Bot”?

Generally speaking, “bot” is short for “robot”. In the context of the Internet, the full term is “Web robot” or “Internet robot”—a computer system programmed to perform a set of automated tasks. Bots may also be referred to as “zombies.” Some bots perform positive, helpful tasks, such as gathering intelligence on websites and services; others are created by threat actors who use them to take over or infect compute devices. Targets of bot attacks can range from personal computers, smartphones and tablets to servers and connected “things.”

What’s A Botnet?

A botnet is a group of bots that are overseen by a command and control server (we’ll shorten that to “CnC,” though it’s also referred to as “C&C “or “C2”). Each botnet has one CnC (or more for availability) that orchestrates and controls all of the bots within the same botnet. Each bot in the botnet is programmed to “call home” to the CnC, which then provides instructions, or commands, to them. Botnets are the ultimate attack tools. Here’s why:

·         Bots aren’t directly associated with the attackers

·         Bots can be automated via CnC servers

·         Bots are geographically distributed

·         Bots are disposable and easy to replace if needed

·         Bots are flexible and can be used in a wide range of nefarious activitiesWEB SCRAPING: EATING AWAY AT REVENUE, PROFIT AND IP

Web scraping refers to a type of software tool that harvests data from websites and uses it for a variety of purposes. There are five main use cases for web scraping:

·         Content scraping- the practice of lifting original content from a legitimate website and posting it on another without the owner’s knowledge or permission

·         Research 

·         Price comparison

·         Data monitoring (weather, stocks, etc.)

·          Website change detection

Content scraping poses tremendous risks to an organization, including theft of intellectual property and/or data. In addition, the bot performing the content scraping could perform so many continuous requests that it leads to a Denial-of-Service (DoS) situation. Also, a company could lose profit thanks to aggregators and price comparison websites, or due to information leakage.

The Rise Of Iot Botnets: Mirai, Hajime And Brickerbot

As described earlier, bots can be commandeered into armies known as botnets, and the Internet of Things is fraught with connected devices offering a staggeringly low level of security. It’s not hard to imagine what happens when the two are combined—infecting tens or hundreds of thousands of IoT devices with the same bot and then transforming those devices into a massive, distributed fleet of IoT zombies.

It’s a concept that Radware predicted for years and that was vividly brought to life by the Mirai botnet in October 2016. Ominously named after the Japanese phrase for “the future,” Mirai  showed just how much damage even simple, unsophisticated bots could cause. Think of Mirai as the brute-force bot: big, dumb and dangerous.

Soon after, another IoT botnet emerged. Called Hajime, this botnet brings more sophistication to some of the techniques used by Mirai. Rather than corralling an army of bots to wage attacks, Hajime seems to be designed more for staking a claim to IoT devices. So far, Hajime has booted existing bots, closing ports and hunkering down in devices. Its ultimate goal is still unknown—but the potential for global damage looms.

, Radware’s own Pascal Geenens discovered an entirely new breed of IoT botnet. Coined BrickerBot, this bot has another objective entirely. While Mirai quickly harnessed an army for attacks and Hajime seems intent on quietly building, but not taking action with, its own army, BrickerBot has a “nobler” purpose. Its author, known as the Janit0r, purports to be protecting insecure IoT devices through Permanent Denial-of- Service (PDoS). Rather than simply kicking out other bots and taking over devices, BrickerBot “bricks” them. It thereby eliminates the risk that they’ll be drafted a part of an IoT zombie army. Of course, it also means they can no longer function as anything other than paperweights. Think of BrickerBot as the vigilante bot. It bricks infected IoT devices—issuing a stark wakeup call about the need for IoT security.

Duking It Out For Control Of The Internet Of Things…


Be sure to:

·         Change every device’s factory default credentials.

·         Disable Telnet access to every device.

·         Check and upgrade firmware often.

·         Brace and prepare yourself for more and larger

DoS attacks in the near future.

·         Have an adequate incident response plan in place  and perform regular war games to train your people and test and assess your plan’s effectiveness.

·         Use Network Behavioral Analysis to detect anomalies in traffic and combine this with automatic signature generation for fast, effective mitigation.

·         Use user and entity behavior analytics to spot granular anomalies in traffic early.



·         Most powerful botnet seen to date

·         New level of DDoS attacks

·         Potential for multiple Tbps attacks

·         Unsophisticated, easy-to-herd new bots, impacting the DDoS-as-a- Service economy


·         Takes insecure IoT devices hostage to keep them from taking part in DDoS botnets

·         Sophisticated—offering a glimpse into the future of IoT bots and botnets

·         Aggressively scans and infects

·         Keeps CnC channel open for updates and new extensions

·         True purpose remains a mystery


·         Destroys insecure IoT devices to keep them from taking part in DDoS botnets

·         Only attacks devices already compromised by other bots