7 Malware Families Ready to Ruin Your IoT's Day
This latest list of Internet of Things miscreants doesn't limit itself to botnets, like Mirai.
March 29, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt144adfaee6515673/64f0d46f43af5454eea1bd6e/Image_1.jpeg?width=700&auto=webp&quality=80&disable=upscale)
Don't you hate it when one loud co-worker at the office takes all the credit and keeps the rest of the team out of management's eye? Welcome to the world of Internet of Things (IoT) malware, where several families do their malicious worst — only to hear IT professionals droning on about Mirai, Mirai, Mirai.
Don't be misled: Mirai is still out there recruiting low-power IoT devices into botnets, but it's certainly not the only piece of malware you should be aware of. Mirai wasn't even the first of the big-name IoT baddies — that distinction goes to Stuxnet — but the sheer size of the attacks launched using the Mirai botnet and the malware's dogged persistence on devices around the world have made it the anti-hero poster child of IoT security.
Mirai has continued to grow through variations that make it a malware family rather than a single stream of malware. And it's not alone: Malware programmers are much like their legitimate software development counterparts in their programming practices and disciplines, making code reuse and modular development commonplace. Each of these can make it tricky to say whether a bit of malware is new or just a variant. Regardless, security professionals have to stop all of them.
This latest list of IoT miscreants doesn't limit itself to botnets. You'll also find data wipers, cryptominers, and data capture clients. And if there's one thing cybersecurity professionals can count on, it's that malware authors will continue to apply their creativity and programming skills to new forms of criminal code that will be unleashed on the IoT.
What kind of malware are you dreading most? And what kind do you think will all but disappear in the coming years? Share your thoughts with the Dark Reading community in the Comments section, below.
(Image: peshkov VIA Adobe Stock)
Gafgyt began as a Linux botnet that launched distributed denial-of-service (DDoS) attacks circa 2014. It can still inflict DDoS pain but in the intervening years has proved to be old malware that can learn a plethora of new tricks.
The first set of tricks developers taught Gafgyt was how to exploit specific vulnerabilities in IoT devices. From routers, modems, and firewalls to security cameras and DVRs, Gafgyt has been given the tools to embed itself in a wide variety of IoT devices. While many of the vulnerabilities targeted by Gafgyt have been patched, the sheer number of unpatched devices in the wild make this a threat that has become a criminal family.
The damage Gafgyt can inflict has evolved, as well. In addition to launching DDoS attacks, Gafgyt can now steal information, drop other malware payloads, and enlist victims into botnets used for a variety of purposes. Gafgyt has become more flexible and dangerous given its wide range of variations. It's now part of one of the more prolific families of IoT malware.
Satori began as a variant of the code that brought us Mirai, but it has evolved to become much more. It is constantly changing at the hands of its developers, targeting new CPUs and systems with payloads that shift but always seem to return to the business of DDoS.
It's worth remembering that Mirai began as a fight between people operating video game servers. That small feud has grown to devastate businesses around the world. And Satori continues to look for new vulnerabilities to exploit and new ways it can be employed. In recent months, developers have added spam generation and cryptocurrency mining to Satori's repertoire.
The best defense against Satori matches Mirai's: Make sure all IoT devices (especially those that are open to the Internet) are fully patched and updated. Add a well-designed set of firewall and intrusion-prevention system (IPS) rules, and you will have as much Satori protection as an organization can apply.
Few devices have improved physical security as much as the proliferation of security cameras pointing at doors, windows, critical equipment, and oft-trod pathways. And few devices have become so great a cybersecurity risk as that same fleet of cameras, open to the Internet, often unprotected, and very nearly unprotectable.
Satori followed on the heels of Mirai, specifically targeting a family of IP-based cameras as the hosts for the malware and its DDoS-spewing payload. While Mirai also planted itself on IP cameras, it was broader in its vision, whereas Satori was specific. As a result, Satori quickly became the top IP camera botnet.
Persirai has maintained its focus on cameras but added to its list of victims; it now has the ability to infect more than 1,000 different camera models. Protecting from Persirai includes several steps, including disabling universal plug-n-play, chasing passwords (if possible), updating firmware, and being aware of all the devices you might have that are chatting away with servers on the Internet.
While IP cameras are frequent targets of IoT malware, they're far from the only systems that can be infected. VPNFilter takes aim at home and small-business routers and comes with a bonus: It can remain in place even after the devices are rebooted.
Unlike most of the other pieces of malware that infect the IoT, VPNFilter doesn't specifically try to build a botnet from which to launch a DDoS attack. Instead, the modular VPNFilter can carry a payload that harvests data from the network, works to infect other devices, disrupts the network operations, or hides the location of other botnet nodes.
VPNFilter can't be cleared by simply resetting the router. A two-step process will do the job, though: Conduct a factory reset and then, before the router is reconnected to the Internet, change the default admin password. Of course, if you start off by changing the default username and password, then keep the router fully patched and updated, VPNFilter's damage will remain filtered out.
Don't you hate it when one loud co-worker at the office takes all the credit and keeps the rest of the team out of management's eye? Welcome to the world of Internet of Things (IoT) malware, where several families do their malicious worst — only to hear IT professionals droning on about Mirai, Mirai, Mirai.
Don't be misled: Mirai is still out there recruiting low-power IoT devices into botnets, but it's certainly not the only piece of malware you should be aware of. Mirai wasn't even the first of the big-name IoT baddies — that distinction goes to Stuxnet — but the sheer size of the attacks launched using the Mirai botnet and the malware's dogged persistence on devices around the world have made it the anti-hero poster child of IoT security.
Mirai has continued to grow through variations that make it a malware family rather than a single stream of malware. And it's not alone: Malware programmers are much like their legitimate software development counterparts in their programming practices and disciplines, making code reuse and modular development commonplace. Each of these can make it tricky to say whether a bit of malware is new or just a variant. Regardless, security professionals have to stop all of them.
This latest list of IoT miscreants doesn't limit itself to botnets. You'll also find data wipers, cryptominers, and data capture clients. And if there's one thing cybersecurity professionals can count on, it's that malware authors will continue to apply their creativity and programming skills to new forms of criminal code that will be unleashed on the IoT.
What kind of malware are you dreading most? And what kind do you think will all but disappear in the coming years? Share your thoughts with the Dark Reading community in the Comments section, below.
(Image: peshkov VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024