Graeme Dawes - Fotolia
To counter the growing threat of IoT botnets, IT administrators must understand how hackers create a botnet and initiate a distributed denial-of-service attack.
The rapidly expanding number of IoT devices further presents bad actors with a vast collection of endpoints that they can co-opt into a huge bot army to do their bidding. Already, hackers have used IoT botnet to launch destructive DDoS attacks. For example, hackers used the Mirai virus to infect some 600,000 IoT devices and then launch a DDoS attack that took down the internet in much of the Eastern United States in 2016. At the time, there were billions fewer IoT devices. The number of connected devices has shot up from 17.68 billion in 2016 to an estimated 30.73 billion in 2020, according to Statista Research report titled "Internet of Things (IoT) active device connections installed base worldwide from 2015 to 2025." It's expected to reach more than 75 billion in 2025. The potential potency of attacks wielding IoT botnets appears to be increasing alongside the number of devices.
Researchers at Bitdefender announced in April 2020 that they identified a new IoT botnet, which they named dark_nexus and said had capabilities that go beyond other known botnets. Researchers also said the dark_nexus botnet appears to have been developed by a known botnet author suspected of selling DDoS services in the past.
How hackers infect IoT devices to create botnets
The development of a botnet generally follows a prescribed strategy. It starts with a bad actor, a single individual or a collective of hackers working together for a criminal syndicate or a nation-state, who creates code that's programmed to infect devices. This malware can sit on any type of device that can execute code, but hackers can also create it to specifically target IoT devices.
The bad actor can use different tactics to get the malware onto devices. Phishing scams are common strategies, but the malware can also be designed to look for unprotected network ports on IoT devices or other similar specific vulnerabilities. Once designed, the hacker uses the code to infect as many devices as possible, making this collection of hijacked devices into a botnet.
"The machines aren't bad, it's just the code running on them," said Christopher McElroy, a senior consultant at management consulting firm Swingtide.
Despite the headline-making reports of malicious IoT botnet attacks, many organizations use similar technology -- such as distributed computing systems -- to handle certain business functions, he said. A retailer, for example, may use the technology to monitor for the lowest offered price on a given item, or an IT department might deploy the technology to monitor equipment performance. However, problematic botnets have been infected with malicious code running on the device so that the hacker can take control of the devices to launch criminal activities, such as a DDoS attack.
Orchestrators use malware code for IoT botnet DDoS attacks
Bad actors can find modularized malicious code on the internet, much of it freely available. The modules are designed for certain task, said Gregory Touhill, an adjunct faculty member at Carnegie Mellon University's Heinz College of Information Systems and Public Policy and a retired U.S. Air Force brigadier general formerly the first federal CISO in the U.S. For example, there's modularized code designed to detect susceptible machines, including IoT devices and industrial controls. There is also a module to camouflage the code so that it can infect its targets without being detected and one that allows communication back to home base.
"When [the malware] gets onto the device, depending on how the code is written, at some point it will phone home like E.T. It calls command and control and tells command where it is. The message goes to command-and-control servers -- most botnets have lots of those -- and they're often compromised devices themselves," Touhill said.
Most botnet code tries to reach a primary command-and-control node. If it can't reach that node, the code tries to reach a secondary node or a tertiary one. Once it connects, it stops. It doesn't maintain constant contact.
Orchestrators, as bad actors using botnets to launch attacks are called, also use a module to deliver the payload -- the code that can be used to launch an actual attack. Once installed on the device, the code sends information back to the home system, saying 'I'm here, here's the information.' That information is collected on a master database.
"[The hacker] is doing the same thing to 1,000 or one million or however many devices," McElroy said. "Then the code just sits there and waits for instructions from the master server; it just waits for the orchestrator to send out instructions."
Orchestrators can plan and execute attacks for their own reasons and for their own gain, or they can actually sell the use of their botnet inventory to others, taking instructions from their "clients" to distribute instructions for the types of attacks they want, McElroy said. The orchestrator stores the command on a server. When the bots get the command to set up, then they start.
IoT botnets can put out spam or other kinds of misinformation, but they're most frequently used to launch DDoS attacks in which the orchestrator commands the botnets to flood targets with traffic to bring down their systems, according to experts.
"The vast majority of botnets lie in wait as the 'infection' spreads and then the bad actors decide to launch or execute the attack, and then the bots all go into attack mode and broadcast like crazy," Touhill said.
Of course, organizations deploy layers of cybersecurity defenses to block malware from getting into devices, but, as experts pointed out, those layers aren't always successful in preventing attacks.
Once a botnet is active, orchestrators demand payments to get the botnet activity to stop -- with financial gain being the most frequent motivation for attacks.