History of IoT Botnets

  • 2008Linux.Hydra
    • Open source botnet framework released in 2008
    • Created by Frederico
    • IRC based
    • First known malware that targeted embedded Linux-based operating systems
    • Attempts to connect over Telnet or SSH via hardcoded credentials
    • Blocks further Telnet and SSH connection attempts
    • Arch: MIPS
    • Attack Vectors: SYN Flood, UDP Flood

  • 2009Psyb0t
    • Discovered in January 2009 by researcher Terry Baume
    • IRC based
    • Targets embedded Linux-based operating systems
    • Attempts to connect over Telnet or SSH via hardcoded credentials
    • Blocks further Telnet and SSH connection attempts
    • Arch: MIPS
    • Attack Vectors: SYN Flood, UDP Flood, ICMP Flood

    Source
    Web Archive
    DroneBL
  • 2009Chuck Norris
    • Discovered at Masaryk University in December, 2009
    • IRC based
    • Targets embedded Linux-based operating systems
    • Attempts to connect over telnet via hardcoded credentials
    • Arch: MIPS
    • Attack Vectors: SYN Flood, UDP Flood, ACK Flood

    Source
    Research Gate
  • 2010Tsunami / Kaiten
    • Discovered by Intego
    • IRC based
    • Source code was published September 2009
    • Arch: MIPS
    • Attack Vectors: SYN Flood, UDP Flood, ACK-PUSH Flood, HTTP Layer 7 Flood, TCP XMAS

    Source
    Integoi
    Malware Must Die
    Kaiten Source
  • 2012Aidra
    • Discovered in January 2012 by Researchers at ATMA.ES
    • Created by Federico Fazzi
    • IRC based
    • Targets embedded Linux-based operating systems
    • Attempts to connects to Telnet via hardcoded credentials
    • Arch: MIPS, MIPSEL, ARM, PPC, SuperH
    • Attack Vectors: SYN Flood, ACK Flood

    Source
    NJCCIC
    Symantec
  • 2014Spike / Dofloo / Mr.Black
    • Discovered around mid 2014
    • Agent-Handler based
    • Targets Windows and Linux based PC’s as well as embedded Linux-based operating systems
    • Arch: MIPS, ARM
    • Attack Vectors: SYN Flood, UDP Flood, ICMP Flood, DNS Query Flood, HTTP Layer 7 Flood

    Source
    Akamai
  • 2014BASHLITE
    • Discovered in 2014
    • Agent-Handler based
    • In 2015 the source code was leaked
    • Arch: MIPS, MIPSEL, ARM, PPC, SuperH, SPARC
    • Attack Vectors: SYN Flood, UDP Flood, ACK Flood

    Source
    NJCCIC
    FlashPoint
  • 2015Elknot / BillGates
    • Disclosed on a Russian IT website in February, 2014
    • Agent-Handler based
    • Arch: MIPS, ARM
    • Attack Vectors: SYN Flood, UDP Flood, ICMP Flood, DNS Query Flood, DNS Amplification, HTTP Layer 7 Flood, other TCP Floods

    Source
    habr
    Kaspersky
  • 2015XOR.DDoS
    • Discovered in 2014
    • Agent-Handler based
    • Arch: MIPS, ARM, PPC, SuperH
    • Attack Vectors: SYN Flood, ACK Flood, DNS Query Flood, DNS Amplification, Other TCP Floods

    Source
    Malware Must Die
    Avast
    Akamai
  • 2016LUABOT
    • Discovered in 2016
    • Agent-Handler based
    • Arch: ARM
    • Attack Vectors: HTTP Layer 7 Flood

    Source
    Malware Must Die
    Medium
  • 2016Remaiten / KTN-RM
    • Discovered in 2016
    • IRC based
    • Arch: ARM, MIPS, PPC, SuperH
    • Attack Vectors: SYN Flood, UDP Flood, ACK Flood, HTTP Layer 7 Flood

    Source
    ESET
    Slide Share
  • 2016Mirai
    • Source code was published on Hack Forums in September, 2016
    • Created by Paras Jha
    • Agent-Handler based
    • Targets embedded Linux-based operating systems
    • Attempts to connect over Telnet and SSH via hardcoded credentials
    • Arch: MIPS, ARM, PPC
    • Attack Vectors: SYN Flood, ACK Flood, ACK-PUSH Flood, TCP XMAS, Other TCP Floods

    Source
    Hack Forum
    Radware
  • 2016Linux.IRCTelnet
    • Discovered by Malware Must Die in October 2016
    • IRC based
    • Arch: MIPS, MIPSEL, ARM, PPC, SuperH, SPARC
    • Attack Vectors: SYN Flood, UDP Flood, ACK Flood, VSE Query Flood, DNS Water Torture, GRE IP Flood, GRE ETH Flood, HTTP Layer 7 Flood

    Source
    Malware Must Die