Thousands of infected IoT devices used in for-profit anonymity service

By | October 16, 2020
A stylized human skull over a wall of binary code.

Some 9,000 devices—mostly running Android, but also the Linux and Darwin operating Systems—have been corralled into the Interplanetary Storm, the name given to a botnet whose chief purpose is creating a for-profit proxy service, likely for anonymous Internet use.

The finding is based on several pieces of evidence collected by researchers from security provider Bitdefender. The core piece of evidence is a series of six specialized nodes that are part of the management infrastructure. They include a:

  • proxy backend that pings other nodes to prove its availability
  • proxy checker that connects to a bot proxy
  • manager that issues scanning and brute-forcing commands
  • backend interface responsible for hosting a Web API
  • node that uses cryptography keys to authenticate other devices and sign authorized messages
  • development node used for development purposes

Keeping it on the down-low

Together, these nodes “are responsible for checking for node availability, connecting to proxy nodes, hosting the web API service, signing authorized messages, and even testing the malware in its development phase,” Bitdefender researchers wrote in a report published on Thursday. “Along with other development choices, this leads us to believe that the botnet is used as a proxy network, potentially offered as an anonymization service.”

It’s not the first time researchers have found botnets used to provide networks for quasi-anonymous Internet usage. Security journalist Brian Krebs has reported on them
over the years since as early as 2008. Various researchers have also documented them. One thing that Bitdefender found interesting about this time is that the anonymous proxy was being advertised on the clearnet rather than in darknet forums.

Machines are infected by scanning for SSH—or secure shell—servers and when found attempting to guess weak passwords. Malware written in the Go programming language then implements a botnet with an original design, meaning its core functionality is written from scratch and doesn’t borrow from previously seen botnets.

The code integrates open source implementations of protocols including NTP, UPnP, and SOCKS5. The code also uses the lib2p library for peer-to-peer functionality. The code further uses a lib2p-based network stack to interact with the Interplanetary File System, which is often abbreviated at IPFS.

“Compared to other Golang malware we have analyzed in the past, IPStorm is remarkable in its complex design due to the interplay of its modules and the way it makes use of libp2p’s constructs,” Thursday’s report said using the abbreviation for Interplanetary Storm. “It is clear that the threat actor behind the botnet is proficient in Golang.”

Once run, the code initializes an IPFS node that launches a series of lightweight threads, known as Goroutines, that in turn implement each of the main subroutines. Among other things, it generates a 2048-bit RSA keypair that belongs to the IPFS node and is used to uniquely identify it.

By the bootstraps

Once a bootstrap process begins, the node is now reachable by other nodes on the IPFS network. Different nodes all use components of lib2p to communicate. Besides communicating for anonymous proxy service, the nodes also interact with each other for sharing malware binaries used for updating. To date, Bitdefender has counted more than 100 code revisions, an indication that IPStorm remains active and receives robust programming attention.

Bitdefender estimated that there are about 9,000 unique devices, with the vast majority of them being Android devices. Only about 1 percent of the devices run Linux, and only one machine is believed to run Darwin. Based on clues gathered from the operating system version and, when available, the hostname and user names, the security firm has identified specific models of routers, NAS devices, TV receivers, and multipurpose circuit boards and microcontrollers (e.g., Raspberry Pis) that likely make up the botnet.

Many criminals use anonymous proxies to transmit illegal data, such as child pornography, threats, and swatting attacks. Thursday’s report is a good reminder why it’s important to always change default passwords when setting up Internet-of-things devices and—when possible—to also disable remote administrative access. The cost of not doing so may not only be lost bandwidth and increased power consumption, but also criminal content that might be traced back to your network.