Hundreds of contaminated IoT gadgets are used within the for-profit anonymity service


Computers are infected by looking for SSH or Secure Shell servers and trying to guess weak passwords. Malware written in the Go programming language then implements a botnet with an original design. This means that the core functionality has been rewritten from the ground up and not borrowed from previously seen botnets.

The code integrates open source implementations of protocols such as NTP, UPnP and SOCKS5. The code also uses the lib2p library for peer-to-peer functionality. The code also uses a lib2p-based network stack to interact with the interplanetary file system, often abbreviated to IPFS.

"Compared to other Golang malware that we have analyzed in the past, IPStorm is remarkable in its complex design due to the interaction of its modules and the way it uses the constructs of libp2p," the report said from Thursday using the acronym for Interplanetary Storm. "It is clear that the threat actor behind the botnet rules Golang."

When executed, the code initializes an IPFS node which starts a series of lightweight threads called goroutines, which in turn implement each of the main subroutines. Among other things, a 2048-bit RSA key pair is generated that belongs to the IPFS node and is used for unique identification.

With the bootstraps

As soon as a bootstrap process begins, the node can now be reached by other nodes in the IPFS network. Different nodes use all of the components of lib2p to communicate. In addition to communicating for an anonymous proxy service, the nodes also interact with each other to share malware binaries that are used for updating. To date, Bitdefender has counted more than 100 code revisions, an indication that IPStorm is staying active and receiving robust programming attention.

Bitdefender estimates that there are around 9,000 unique devices, the vast majority of which are Android devices. Only about 1 percent of the devices run Linux, and only one computer is believed to be running Darwin. Based on clues from the operating system version and, if available, the host name and user name, the security company has identified certain models of routers, NAS devices, TV receivers, as well as multi-purpose boards and microcontrollers (e.g. Raspberry Pis) that are likely to form The botnet.

Many criminals use anonymous proxies to transmit illegal data such as child pornography, threats, and swatting attacks. Thursday's report is a good reminder of why it's important to always change the default passwords when setting up Internet of Things devices and, if possible, disable remote administrator access as well. The cost of doing this may not only include loss of bandwidth and increased power consumption, but also criminal content that may be traced back onto your network.


Steven Gregory