A new Internet of Things botnet, dubbed "IOTroop," is growing at a faster pace than Mirai, and can potentially cause greater damage, according to Check Point Software Technologies.
A new Internet of Things botnet, dubbed "IOTroop," is growing at a faster pace than Mirai, and can potentially cause greater damage, according to Check Point Software Technologies.

Just prior to the one-year anniversary of the Mirai Internet of Things (IoT) botnet's infamous DDoS attack on Dyn, researchers disclosed the existence of an even more evolved Internet of Things botnet that has already secretly infected a million organizations.

In a company blog post on Thursday, the Check Point Software Technologies researchers who discovered the threat warn that the botnet, dubbed "IOTroop," is growing at a faster pace than Mirai, and can potentially cause greater damage.

The Oct. 21, 2016 Mirai attack disrupted websites operations across North America and Europe after attackers flooded DNS service Dyn with malicious lookup requests from connected devices such as IP cameras, DVRs, and routers. These devices were all infected with Mira malware whose source code had been released publicly into the wild by its author.

Mirai's possible heir apparent, IOTroop, was first detected in late September, as Check Point researchers identified attempts to exploit multiple vulnerabilities in IoT devices from such manufacturers as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology, and others.

A technical analysis of IOTroop revealed that it shares some source code with Mirai, suggesting that the two threats are linked. However, the new botnet is more sophisticated than it's predecessor, and its ultimate purpose remains unknown.

"It has the same technical capabilities, and then over 100 additional functions added to it," said Maya Horowitz, Check Point's group manager of threat intelligence, in an interview with SC Media. "The most interesting differentiator we've exposed so far is that it exploits vulnerabilities in expanding the network, rather than only compromising devices that have factory default credentials set."

Check Point has determined that infected IOTroop devices are essentially reprogrammed to self-propagate, spreading the malware to additional IoT products. In one case, researchers found that a GoAhead camera's System.ini file, which ordinarily contains the user's credentials, instead had a modified version featuring a "Netcat" command that opened a reverse shell to the attacker's IP. "This tells us that this machine was merely one link in the chain, and that it was both infected and then also transmitting the infection," Check Point explains in a more detailed research report.

The GoAhead camera was exploited via CVE-2017-8225, a critical information disclosure vulnerability in Wireless IP (P2P) WIFICAM cameras, which was discovered last April. But there are more bugs where that come from, as the botnet continues to expand its arsenal of IoT vulnerabilities, "some of which haven't had a CVE attached to them," Horowitz said.

In its blog post, Check Point has identified 15 IoT vulnerabilities seen in the context of IOTroop's bot recruitment campaign.

"The discovery of a botnet bigger and potentially more dangerous than Mirai is alarming news for businesses and consumers around the globe," said Mark Hearn, director of IoT security at digital platform security provider Irdeto, in emailed comments. "With the cross-contamination of connected devices, threats easily cross boundaries of the connected home, the connected building, mobile devices, and the enterprise."

The news of Check Point's discovery added an element of urgency to another new report, this one from Radware, which suggests that web site operators may not be adequately prepared for the next major IoT-based DDoS attack.

According to Radware, 68 of the top 100 U.S. websites still use only one DNS provider for their domain, instead of having a back-up for redundancy purposes, in case another Dyn incident occurs. Some of these 68 websites were even affected in the Oct. 21 attack.

The post's author, Radware security evangelist Ron Winward, also warned that the next attack could be worse if the perpetrators target the entire global DNS infrastructure by taking down the top DNS providers. Alternatively, the attackers could also target APIs (Application Programming Interfaces), Winward suggested.