Risks and threats in the Internet of things

Since 2016, we caught them, collected statistics and that's what happened in the end. We do not make predictions, but only state how much the risks have increased in this environment.

Our analysts have prepared a review study that presents common threats to smart devices and the Internet of things (IoT) in general. A huge number of devices, such as smart TVs, surveillance cameras, smart watches and toys, refrigerators, cars, fitness trackers, and DVRs, are recorded daily on the World Wide Web. Most of them are poorly protected from attacks, and even completely vulnerable.

Introduction

Now not only computers, smartphones, tablets and routers, but also smart TVs, surveillance cameras, smart watches, refrigerators, cars, fitness trackers, video recorders and even children's toys are entering the World Wide Web. The number of IoT devices already exceeds several billion, and every year their number is growing.

Many of them are bad or not at all protected from attacks. For example, to connect to them, simple or well-known login-password pairs can be used, which by default are installed on hundreds of thousands of models. Their owners either do not think about changing the factory settings, or cannot do this due to the limitations of the manufacturers themselves. Criminals are relatively easy to access such devices using the selection of combinations of the dictionary (the so-called brute force - brute force method). In addition, they can exploit the vulnerabilities of the operating systems installed on them.
')
Since 2016, Doctor Web has been closely following the threats of the Internet of Things segment. To do this, our specialists have developed a network of specialized baits - hanipot (from the word honeypot - a pot of honey). Such traps imitate various types of smart electronic devices and record attempts to infect them. Hanipota covers several hardware platforms, including ARM, MIPS, MIPSEL, PowerPC and Intel x86_64. They allow you to monitor attack vectors, detect and research new malware samples, improve their detection mechanisms and more effectively deal with them.

This material provides information about the identified attacks on smart devices, as well as the most common threats to the Internet of Things.

Statistics

At the very beginning of the observation, virus analysts recorded a relatively low activity of malicious programs aimed at devices of the Internet of things. In the first four months of 2016, Dr.Web specialists detected 729,590 attacks, but only a year later — 32 times more, 23,741,581. After 12 months, there were already 99,199,444. As for the current year, it was only in the first Six months ago there were 73,513,303 attacks, almost as many as in the whole 2018.

The dynamics of the detection of hanipota attacks is shown in the graph:



In less than three years, the number of hacking attempts and infecting the Internet of Things devices has increased by 13,497%.

Attacks on smart devices were carried out from IP addresses located in more than 50 countries. Most often these were the United States, the Netherlands, Russia, Germany, Italy, Great Britain, France, Canada, Singapore, India, Spain, Romania, China, Poland and Brazil.

The geographical distribution of attack sources and their percentage ratio is shown in the following graph:



After a successful compromise of devices, attackers can download one or several Trojans onto them. In total, the number of unique malicious files detected by our traps during the observation period was 131,412. The dynamics of their detection are shown below.



Smart devices run on different processor architectures, and many malware have versions for several hardware platforms at once. Among those that mimic our hanipot, devices with ARM, MIPSEL and MIPS processors are most often attacked. This is clearly seen in the diagram:

According to statistics obtained by hanipotes, the most active malicious programs are members of the Linux.Mirai family, accounting for more than 34% of attacks. These are followed by the Linux.DownLoader loaders (3% of the attacks) and the Linux.ProxyM Trojans (1.5% of the attacks). The top ten also includes malicious applications Linux.Hajime , Linux.BackDoor.Fgt , Linux.PNScan, Linux.BackDoor.Tsunami and Linux.HideNSeek. The percentage of the most active Trojans is presented in the following illustration:

Malicious programs that attack smart devices can be divided into several basic categories according to their main functions:

• Trojans for DDoS attacks (example: Linux.Mirai);
• Trojans that distribute, download and install other malicious applications and support components (example: Linux.DownLoader, Linux.MulDrop);
• Trojans that allow you to remotely manage infected devices (example: Linux.BackDoor);
• Trojans that turn devices into proxy servers (example: Linux.ProxyM, Linux.Ellipsis.1, Linux.LuaBot);
• Trojans for mining cryptocurrency (example: Linux.BtcMine);
• others.

However, most modern malware programs are multifunctional threats, since many of them can combine several functions at once.

Threat Trends for Smart Devices

• Due to the availability of source codes of Trojans, such as Linux.Mirai, Linux.BackDoor.Fgt, Linux.BackDoor.Tsunami and others, the number of new malicious programs is growing.
• The emergence of an increasing number of malicious applications written in "non-standard" programming languages, such as Go and Rust.
• Attackers have access to information about a variety of vulnerabilities, the exploitation of which helps infect smart devices.
• The popularity of miners who extract cryptocurrencies (mainly Monero) on Internet of Things devices remains.

Below is information about the most common and remarkable Trojans for the Internet of Things.

More on Internet of Things Threats

Linux.Mirai

Linux.Mirai is one of the most active Trojans attacking IoT devices. The first version of this malicious application appeared in May 2016. Later, its source codes were published in free access, so it quickly appeared a large number of modifications created by various virus writers. Now Linux.Mirai is the most common Trojan for Linux, which runs on a variety of processor architectures such as x86, ARM, MIPS, SPARC, SH-4, M68K, etc.

After infecting the target Linux device. Mirai connects to the management server and waits for further commands from it. The main function of this Trojan is to conduct DDoS attacks.

The following graph shows the dynamics of the detection of active copies of this malicious application by hanipotes:

Various modifications of Linux.Mirai are most active in China, Japan, USA, India and Brazil. Below are the countries where during the observations the maximum number of bots of this family was recorded.

Linux.Hajime

Another dangerous malicious application infecting smart devices is Linux.Hajime . This Trojan has been known to virus analysts since the end of 2016. It works on ARM, MIPS and MIPSEL architectures and implements the network worm function, spreading using the Telnet protocol. Infected devices are included in the decentralized P2P botnet and are used to further infect available objects on the Web. The malicious program blocks the access of other malicious programs to successfully attacked devices, closing ports 23, 7547, 5555 and 5358 on them.

The peak of Linux.Hajime activity was at the end of 2016 - the beginning of 2017, when the maximum number of simultaneously active copies of Trojans of this family exceeded 43,000. After that, the activity of malicious programs dropped and continues to gradually decline. Now the number of active bots Linux.Hajime does not exceed a few hundred.

These Trojans are most common in Brazil, Turkey, Vietnam, Mexico and South Korea. The map shows the countries with the maximum number of active Trojans Linux.Hajime , which were recorded during the entire observation period.

Linux.BackDoor.Fgt

The top five Trojans designed to infect IoT devices include Linux.BackDoor.Fgt , which has been distributed since autumn 2015. Different versions of this malicious application support the work on the MIPS, SPARC and other architectures and work in the Linux environment. The source code for Linux.BackDoor.Fgt is publicly available, which is why it is so popular among virus writers.

These backdoors are distributed using the Telnet and SSH protocols, selecting logins and passwords for access to the attacked objects. The main purpose of these Trojans is to conduct DDoS attacks and remotely monitor infected devices.

Linux.ProxyM

The Linux.ProxyM Trojan is one of the malicious programs that attackers use to ensure their own anonymity on the Internet. It runs a SOCKS proxy server on infected Linux devices, through which cybercriminals pass network traffic. Dr.Web specialists discovered the first versions of Linux.ProxyM in February 2017, and this Trojan is still active.

Linux.Ellipsis.1

Linux.Ellipsis.1 is another Trojan designed to transform Internet of Things and Linux devices into proxy servers. He was caught by Doctor Web analysts in 2015. Once launched, it deletes the log files and blocks their re-creation, deletes some system utilities, and also prevents the device from communicating with specific IP addresses. If the Trojan detects suspicious traffic from one of the addresses, it also blacklists this IP. In addition, at the command of the managing server Linux.Ellipsis.1, the applications that connected to the forbidden addresses are terminated.

Linux.LuaBot

Doctor Web discovered the first versions of the Linux.LuaBot family of Trojans in 2016. These malicious applications are written in the Lua scripting language and support devices with Intel x86_64 architecture, MIPS, MIPSEL, Power PC, ARM, SPARC, SH4 and M68k. They consist of several dozen scripts, modules, each of which performs a specific task. Trojans are able to receive updates from these modules from the management server, as well as download new ones. Linux.LuaBot is a multifunctional malicious application. Depending on the modification of malicious applications and a set of scripts, attackers can use them to remotely control infected devices, as well as create proxy servers to anonymize the web.

Linux.BtcMine.174

For intruders, mining (mining) cryptocurrency is one of the main reasons for infecting IoT devices. The Linux.BtcMine family of Trojans and other malicious applications help them with this. One of them - Linux.BtcMine.174 - was found by Doctor Web experts at the end of 2018. It is intended for mining Monero (XMR). Linux.BtcMine.174 is a script written in the command shell language sh. If it was not launched on behalf of the superuser (root), the Trojan attempts to elevate its privileges with several exploits.

Linux.BtcMine.174 searches for antivirus processes and attempts to terminate them, as well as to delete the files of these programs from the device. Then it downloads and launches several additional components, including a backdoor and a rootkit module, and then launches a miner program on the system.

The Trojan is assigned to autoload, so it does not fear rebooting an infected device. In addition, he periodically checks whether the miner's process is active. If necessary, he initiates it again, ensuring the continuity of the production of cryptocurrency.

Linux.MulDrop.14

The Linux.MulDrop family of Trojans is used to distribute and install other malicious applications. They work on many hardware architectures and device types, but in 2017, Dr.Web virus analysts discovered the Linux.MulDrop.14 Trojan, which purposefully attacked Raspberry Pi computers. This dropper is a script in the body of which an encrypted program is stored — the cryptocurrency miner. Once launched, the Trojan unpacks and launches the miner, after which it attempts to infect other devices available in the network environment. In order to prevent “competitors” from accessing the resources of an infected device, Linux.MulDrop.14 blocks network port 22.

Linux.HideNSeek

The Linux.HideNSeek malware infects “smart” devices, computers and servers running Linux, integrating them into a decentralized botnet. For distribution, this Trojan generates IP addresses and attempts to connect to them using the selection of logins and passwords in the dictionary, as well as a list of known combinations of authentication data. In addition, it is able to exploit various equipment vulnerabilities. Linux.HideNSeek can be used to remotely manage infected devices — execute commands from attackers, copy files, etc.

Linux.BrickBot

Unlike most other malicious programs, the Linux.BrickBot Trojans are not intended to be of any benefit. These are vandals that are designed to disable computers and smart devices, they have been known since 2017.

Linux.BrickBot Trojans are trying to infect devices through the Telnet protocol, selecting logins and passwords for them. Then they try to erase the data from their persistent storage modules, reset the network settings, block all connections and perform a reboot. As a result, to restore the work of damaged objects, they will need to be reflashed or even replaced components. Such Trojans are rare, but extremely dangerous.

At the end of June 2019, the Linux.BrickBot.37 Trojan, also known as Silex, became popular. It acted in a similar way to other members of the Linux.BirckBot family — erasing data from device drives, deleting their network settings and performing a reboot, after which they could no longer correctly switch on and work. Our traps recorded over 2600 attacks of this Trojan.

Conclusion

Millions of high-tech devices, which are increasingly used in everyday life, are actually small computers with their inherent flaws. They are subject to similar attacks and vulnerabilities, while due to the nature and limitations of the structure, it can be much more difficult to protect them or not at all. In addition, many users are not fully aware of the potential risks and still perceive smart devices as safe and convenient toys.

The Internet of Things market is actively developing and largely repeats the situation with the beginning of the mass distribution of personal computers, when the mechanisms for dealing with threats to them only took shape and improved. While equipment manufacturers and owners of smart devices are adapting to new realities, attackers have tremendous opportunities for attacking. Therefore, in the near future we should expect the emergence of new malicious programs for the Internet of Things.

Doctor Web continues to monitor the situation with the spread of Trojans and other threats to smart devices and will inform our users about all interesting events in this area. Dr.Web anti-virus products successfully detect and remove the malicious programs named in the review. For example, the remotescan remote scan function , which we did for IoT, successfully does this.