The Rise of IoT Botnets: A Look Inside the CenturyLink 2018 Threat Report

Network visibility is a key tool when spotting the threats targeting users across the Internet each day. CenturyLink operates one of the world’s largest Internet backbones and collects 114 billion networking events each day. Of these, 1.3 billion are security-related. These events are tracked and analyzed to spot emerging risk factors. The CenturyLink 2018 Threat Report summarizes and interprets the annual findings.
CenturyLink saw an average of 195,000 threats each day in 2017, affecting 104 million unique targets. Breaking down these threats and their origins reveals some insights about how and where attackers work.
Much of the threat traffic comes from botnets. Criminals build these collections of devices, often numbering in the millions, by infecting them with malware. They deliver it in several ways, including phishing attacks and drive-by downloads. Some botnet malware instances are worms, using severe vulnerabilities that do not require any user activity to infect a machine and which can spread very quickly.
Once infected, devices connected to a command and control (C2) server to register themselves and receive further instructions. The C2 server will relay instructions from the ‘bot herder’ to the botnet, enabling them to harvest sensitive data from the infected machine.
Many botnets are used to launch distributed denial of service (DDoS) attacks. These are swarm attacks, in which the attacker directs many machines to send Internet traffic to a target at once, tying up its connection to the Internet and its computing resources as it tries to respond to all the requests.
The rise of IoT botnets
Historically, botnets targeted PCs. In recent years, though, as the Internet of Things (IoT) has expanded, attackers have turned their attention to these connected devices. They exist in the millions, in the form of webcams, digital video recorders, smart TVs and routers, among other things. Connected IoT devices are ideal targets for attackers, because they are often configured insecurely by default and infrequently updated. They are also rapidly outpacing PCs by volume, creating a massive attack surface.
In the last two years, several IoT botnets have emerged. The one that generated the most media attention appeared in fall 2016, when attackers used the botnet Mirai to effectively shut down KrebsOnSecurity, the web site owned by well-known security writer Brian Krebs. Mirai also bought the Internet to a standstill by launching an October 2016 DDoS attack on Dyn, which resolves DNS traffic for much of the web.
Mirai spawned many other malware variants after attackers released its source code in October 2016. CenturyLink has found several of the variants, including Satori, Masuta, OMG and Okiru.
While Mirai captured the media’s imagination, it was preceded by another IoT malware variant called Gafgyt. Also known as BASHLITE, Lizkebab and Torlus, this malware appeared in 2014. It was written in C, and is easily compiled for different Linux-based systems, making it easy to infect a wide variety of IoT devices which are frequently based on the open source operating system.
In spite of Mirai’s infamy, Gafgyt was the Internet’s unsung villain in 2017, having a larger effect overall. CenturyLink counted 339 C2 servers controlling Mirai infections in 2017, whereas Gafgyt had 562 unique C2s that year. The older malware variant’s C2 servers also stayed up for longer, with a maximum uptime of 117 days.
Sophisticated attacks
Both botnets were highly evolved in their attacks. While they each used a variety of DDoS types, the most popular among both botnets were based on HTTP flood traffic. These are among the most sophisticated DDoS attacks, operating at layer 7 of the TCP stack. Instead of simply using brute force to take down a web site, an HTTP flood attacker pretends to be a web browser sending a typical web request. HTTP flood attacks are often customized to take up the maximum resource for the targeted website. This gives the attacker the maximum effect for the minimum bandwidth, and also makes the attacks more difficult than others to detect.
Attackers frequently used Mirai against a particular target: game servers. They used the botnet to launch the Valve Source Engine Flood attack, which sends requests to a server used to host online games. This slows the server down or knocks it offline, affecting game quality. This is a serious issue for game server hosts, who can make $50,000 each month from players using their servers for popular titles like Minecraft.
Attack sources
Where are these attacks coming from? Using data from its Internet backbone, CenturyLink found that the US was the top source of malicious traffic during 2017, and the top source of C2 servers. It also hosted the most botnet servers, at 1.8 million, outpacing the next biggest, China, fourfold.
This geographic data doesn’t necessarily mean that the majority of these online villains are located in the US, though. Attackers frequently compromise servers in countries other than their own. This not only makes them less vulnerable to attention from law enforcement, but also gives them access to the high volume of servers in the US, alongside its excellent Internet infrastructure.
Russia, the Ukraine and China were the next three biggest sources of C2 servers, and also featured near the top of the list for general malicious traffic during 2017. Their different approach to policing online crime makes it harder for Western states to prosecute cyber criminals there, making them ideal locations for what has become known as ‘bulletproof’ hosting.
While CenturyLink cannot always persuade local law enforcement to take down these criminal operations, it can use its own Internet backbone to throttle traffic from specific C2 servers. In this way, we can mitigate the effects of these botnets within hours, even if they stay online for months.
With the continuing rise of IoT devices, this is only the beginning of a new generation of pernicious and aggressive botnets behavior. Expect more in the future – and be sure that we will keep you posted as the threat develops.