IoT Botnet tracker
Contributors:
Michael Roza
Brian Russell
Aaron Guzman
Botnets
Botnet | Released/ Discovered | Description | Impact | Links |
---|---|---|---|---|
Dark Nexus | 2019 | Compiled for 12 CPU architectures; works on routers, DVRs, cameras, etc. Also deploys SOCKSv5 proxy to tunnel malicious traffic. DDoS; Currently on 1400 devices; uses telnet and default passwords; disguises itself as /bin/busybox; disables kernel watchdog; kills any other malware; then attempts to keep IoT devices from rebooting. | Medium/ High | https://www.csoonline.com/article/3536600/new-iot-botnet-dark-nexus-targets-wide-variety-of-devices.html?utm_source=browser&utm_medium=subscribers&utm_campaign=organic |
Prowli | 2018 | |||
GhostDNS | 2018 | |||
Muhstik | 2018 | |||
GoScan SSH | 2018 | |||
Anarchy | 2018 | |||
DemoBot | 2018 | |||
VPNFilter | 2018 | Malware targets ICS devices; persistent across a device reboot; can also brick devices | HIGH | https://www.scmagazine.com/malware-with-bricking-capabilities-poses-major-threat-after-infecting-500000-networking-devices/article/768231/ https://www.symantec.com/blogs/threat-intelligence/vpnfilter-iot-malware |
DoubleDoor | 2018 | Strings together multiple attacks against Juniper Netscreen and Zyxel modems. | HIGH | https://securityaffairs.co/wordpress/69063/malware/doubledoor-iot-botney.html |
JenX | 2018 | Derived from Satori; offers DDoS-for-a-fee; targets Grand Theft Auto; uses server-based scanning and exploitation instead of peer-to-peer | HIGH | https://threatpost.com/jenx-botnet-has-grand-theft-auto-hook/129759/ |
ADB.Miner | 2018 | Spreads via ADB Debug interface on port 5555; has infected smartphones; smart tvs, etc; mines cryptocurrencies | HIGH | https://www.zdnet.com/article/adb-miner-worm-is-rapidly-spreading-across-android-devices/ |
DarkSky | 2018 | The malware is capable of performing DDoS attacks using several vectors: DNS Amplification, TCP (SYN) Flood, UDP Flood, HTTP Flood. | HIGH | https://blog.radware.com/security/2018/02/darksky-botnet/ |
Hide 'N Seek (HNS) | 2018 | HNS targets 10 different CPU architectures such as x86, x64, ARM (LE and BE), SuperH, PPC, and more. Controlled as much as 90,000 IoT devices in April 2018. HNS bruteforces telnet and then restricts access to port 23 to prevent hijacking from bots. Once access is gained, the malware inserts itself into an /etc/init.d/ file for persitance accross reboots (first of its kind). The botnet is not used for DDoS attacks just yet and many have said the botnet is in a growth phase | HIGH | https://labs.bitdefender.com/2018/01/new-hide-n-seek-iot-botnet-using-custom-built-peer-to-peer-communication-spotted-in-the-wild/ https://labs.bitdefender.com/2018/05/hide-and-seek-iot-botnet-resurfaces-with-new-tricks-persistence/ |
Reaper / IoTroop | 2017 | Based on Mirai code, but attempts to exploit software vulnerabilities instead of password guessing; has infected routers, surveillance cameras, etc | HIGH | https://www.wired.com/story/reaper-iot-botnet-infected-million-networks/ |
Brickerbot | 2017 | Destroys insecure IoT devices to keep them from taking part in DDoS botnets | HIGH | https://ics-cert.us-cert.gov/alerts/ICS-ALERT-17-102-01A |
Satori | 2017 | Based on Miria; Initially targeted Huawei routers | HIGH | https://www.darkreading.com/vulnerabilities---threats/satori-botnet-malware-now-can-infect-even-more-iot-devices/d/d-id/1330875 |
Persirai | 2017 | Exploits RCE's on IP Cameras running GoAhead webservers and is used to perform DDoS attacks | HIGH | https://blog.trendmicro.com/trendlabs-security-intelligence/reigning-king-ip-camera-botnets-challengers/ |
Mirai | 2016 | Well-known botnet targets consumer IoT devices using dictionaries of common usernames/passwords; multiple attack vectors | HIGH | https://en.wikipedia.org/wiki/Mirai_(malware) |
Hajime | 2016 | Takes insecure IoT devices hostage to keep them from taking part in DDoS botnets | Low | https://en.wikipedia.org/wiki/Hajime_(malware) |
Linux/IRCTelnet | 2016 | Connects to IoT devices using telnet and borrows the Mirai dictionary | HIGH | http://blog.malwaremustdie.org/2016/10/mmd-0059-2016-linuxirctelnet-new-ddos.html |
REMAITEN | 2016 | Searches for devices running telnet. Runs dictionary attack | https://en.wikipedia.org/wiki/Remaiten | |
Pnscan | 2015 | |||
Spyke | 2015 | |||
Linux.Moose | 2015 | Exploits routers to eavesdrop on communication to perform social network fraud. Moose can be configured to reroute router DNS traffic, which enables man-in-the-middle attacks from across the Internet | HIGH | https://www.welivesecurity.com/wp-content/uploads/2015/05/Dissecting-LinuxMoose.pdf |
BASHLITE | 2014 | Released in 2014 and part of a family of botnets; uses a dictionary of common usernames/passwords. Focuses heavily on cameras and DVRs running embedded Linux. | HIGH | https://en.wikipedia.org/wiki/BASHLITE |
Linux.Wifatch | 2014 | Spreads and attempts to disable malware found on devices | LOW | https://en.wikipedia.org/wiki/Linux.Wifatch |
TheMoon | 2014 | Initially discovered in 2014 but has updated its attacks, targets, and C&C. TheMoon is a type of worm that targets "E" series Linksys routers and then added ASUS as well as D-Link routers into its target list in late 2016. | LOW | https://isc.sans.edu/forums/diary/Linksys+Worm+TheMoon+Summary+What+we+know+so+far/17633 https://www.fortinet.com/blog/threat-research/themoon-a-p2p-botnet-targeting-home-routers.html |
Gafgyt | 2014 | |||
LINUX.DARLLOZ | 2013 | Exploits PHP vulnerability | HIGH | https://en.wikipedia.org/wiki/Linux.Darlloz |
Linux.Aidra | 2013 | Exploits routers and commands via IRC | HIGH | https://www.symantec.com/en/sg/security-center/writeup/2013-121118-5758-99 |
OSX/Tsunami | 2011 |