Thousands of infected IoT devices in the for-profit anonymity service
Interplanetary Storm uses P2P networks, mainly on IoT devices running Android.
Around 9000 devices, mostly with the Android, Linux and Darwin operating systems, were integrated into the so-called “Interplanetary Storm” (the name of a botnet, the main purpose of which is to create a profit-oriented proxy service), which is supposed to be made available anonymously on the Internet.
It is based on evidence collected by researchers
The finding is based on several pieces of evidence that were collected by researchers from the security provider “Bitdefender”. At the heart of the evidence is a series of six specialized nodes that are part of the administrative infrastructure.
- Proxy backend that pings other nodes to prove their availability
- Proxy tester that connects to a bot proxy
- The manager that issues scan and brute force commands
- Backend interface that is responsible for hosting a web API
- Node that uses cryptography keys to authenticate other devices and to sign authorized messages
- Development node that is used for development purposes
“Together, these nodes are responsible for checking node availability, connecting to proxy nodes, hosting the web API service, signing authorized messages and even testing the malware in the development phase”.
This is what researchers from the Romanian manufacturer of anti-virus program packages “Bitdefender” wrote in a Thursday published report . “Together with other development decisions, this leads us to believe that the botnet will be used as a proxy network, which may be offered as an anonymization service”.
It is not the first time that researchers have found botnets that are used to provide networks for quasi-anonymous Internet use. The security journalist Brian Krebs reported about it in 2008.
Various researchers have this is also documented. One fact that the manufacturer Bitdefender found interesting at the time is that the anonymous proxy was advertised on the clearnet and not in the darknet forums.
Computers are infected by scanning for SSH or secure shell servers, and if they are found they try to guess weak passwords. Malware written in the Go programming language then implements a botnet with an original design. This means that its core functionality has been rewritten from the ground up and does not allow any conclusions to be drawn about previously seen botnets.
The code integrates open source implementations of protocols such as NTP , UPnP and SOCKS5 . In addition, it uses the lib2p library for peer-to-peer functionality. A lib2p-based network stack is also used to interact with the interplanetary filesystem , which is often abbreviated to IPFS is used.
“Compared to other Golang malware that we have analyzed in the past, IPStorm is remarkable in its complex design because of the interaction of its modules and the way in which it takes advantage of the constructs of libp2p”,
it said in the report from Thursday, in which the abbreviation for “Interplanetary Storm” was used. “It is clear that the threat actor behind the botnet controls ‘Golang’.”
Once the code is executed, the code initializes an IPFS node which starts a series of simple threads known as “goroutines,” which in turn implement each of the main subroutines. Among other things, it generates a 2048-bit RSA key pair, which belongs to the IPFS node and is used to uniquely identify the node.
As soon as a bootstrap process begins, the node can be reached by other nodes in the IPFS network. The various nodes use all components of the lib2p communication. In addition to communicating for the anonymous proxy service, the nodes also interact with each other to exchange malware binaries that are used for updating. To date, Bitdefender has counted more than 100 code revisions, which indicates that IPStorm will remain active and receive programming attention.
Bitdefender estimates that there are around 9,000 unique devices, the vast majority of which are Android devices. Only about 1 percent of the devices run on Linux. It is believed that there is only one machine running Darwin. Based on clues gathered from the operating system version and, if available, host and user names, the security company has identified certain models of routers, NAS devices, TV receivers, and multi-purpose circuit boards and microcontrollers (e.g. Raspberry Pis) that are likely to make up the botnet.
Many criminals use anonymous proxies to convey illegal data such as child pornography, threats, and swatting attacks. Thursday’s report is a good reminder why it is important to always change the default passwords when setting up Internet of things devices and – if possible – to deactivate administrative remote access. The cost of not doing this can be not only lost bandwidth and increased power consumption, but also criminal content that could be traced back to your network.