/>
X

Join or Sign In

Register for your free ZDNet membership or if you are already a member, sign in using your preferred method below.

Use your email Use Linkedin Use Facebook

How zombie cameras took down Netflix... and an entire country's internet

Here's how the Internet of Things botnet went from being Minecraft server nuisances to a billion dollar threat that disabled a country's internet infrastructure

|
|
zdnet-iot-crime.jpg
1 of 16 kali9/Getty Images

Once used to harass Minecraft players and illicitly mine Dogecoin, the Internet of Things botnet -- a large, malware-infected collection of smart home cameras, DVRs, routers and more -- has since been turned into a powerful weapon by cybercriminals. Hackers have used large bursts of data from it to silence journalists, cause hundreds of millions in damage, and shut down an entire country's internet infrastructure.

Control of this growing botnet has passed from hacker to hacker over the past few years as it grows larger and more dangerous with time. Here's how the threat has evolved.

zdnet-iot-foscam.jpg
2 of 16 Foscam

The weak security link

There's one thing that almost all Internet of Things attacks have in common: They all leverage the lax default security settings in consumer devices.

One of the earliest IoT scare stories dates back to August 2013, when a hacker gained remote access to an unsecured Foscam Baby Monitor and used the two-way mic to shout obscenities at a toddler. Many cameras remain unprotected and are easily searchable online.

zdnet-iot-baby-monitor.jpg
3 of 16 Shutterstock / Ivica Drusany

The Early IoT Hacks: Baby Spying

Because so few people thought to secure these devices -- and because security was often an afterthought for manufacturers -- infected monitors and home security cameras make up the backbone of the IoT botnet.

Combined, cameras and set-top boxes (DVRs) represent 95 percent of the devices used in large IoT attacks. Unsecured home routers make up another 4 percent.

zdnet-iot-bitcoin.jpg
4 of 16 Shutterstock / aztekphoto

Dogecoin and IoT hacks

Hackers quickly began exploiting IoT vulnerabilities for financial gain. The Linux.Darlloz worm, first identified in November 2013, used infected routers and set-top boxes to mine virtual money.

A ZDNET article from March 2014 reports that the crooks had generated 42,438 Dogecoins and 282 Mincoins through the scheme -- less than $200 in total value.

zdnet-iot-router.jpg
5 of 16 Shutterstock / Casezy idea

Enter the Lizard

The IoT malware game changed again in September 2014 with the release of the LizardStresser (BASHLITE) malware. It uses common passwords such as "password" and "123456" to take over IoT devices via the Shellshock bug.

LizardStresser increased the size of the IoT zombie botnet. As of 2016, more than 1 million devices (including home routers) had been infected by a form of BASHLITE malware.

zdnet-iot-shellshock.jpg
6 of 16 Getty Images/iStockphoto

The first generation of IoT DDoS attacks

The LizardStresser botnet can launch distributed denial of service (DDoS) attacks at a rate of 400Gbps.

It's been used against targets ranging from large banks to telecom providers to government agencies, ZDNET reported. LizardStresser has also been used in DDoS attacks on Xbox Live and PlayStation Network.

zdnet-iot-minecraft.jpg
7 of 16 Shutterstock / Pabkov

Malware motivated by Minecraft money

With the IoT botnet growing, criminals devised a more profitable use for it: Selling DDoS attacks to the highest bidder. In late 2014, a hacking collective called Lizard Squad took control of the IoT botnet and sold access to an illegal control tool.

Private Minecraft servers were popular targets. Owners would pay to launch costly DDoS attacks on their competitors, hoping to lure their customers away to a purportedly more secure server.

zdnet-iot-snowden.jpg
8 of 16 Shutterstock / Rena Schild

A vigilante IoT attack?

With control of the IoT botnet swinging back and forth between hackers, a group of white hats tried to secure unprotected devices with "good malware." Released in November 2014, Linux.Wifatch infects IoT devices, scans for and deletes malware, and then closes up Telnet access to block future attackers.

Interestingly enough, the hackers hid a special message inside their code: "To any NSA and FBI agents reading my email: Please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."

zdnet-iot-mirai.jpg
9 of 16 Funimation

Enter Mirai

In August 2016, a hacker calling himself Anna Senpai took near monopolistic control of the IoT botnet via his Mirai malware. Named after an anime series, Mirai deletes previous IoT infections and replaces the malicious code with its own.

Like other IoT malware, Mirai leverages 60 common factory default usernames and passwords in its attacks. At its peak, Mirai was infecting 4,000 IoT devices per hour.

zdnet-iot-netflix.jpg
10 of 16 Shutterstock / Diabluses

Netflix down!

The most well-known Mirai attack in the U.S. happened on October 21, 2016. On that date, a record-breaking 1.2Tbps DDoS blast from 100,000 infected devices took down the servers of Dyn, a global domain name system (DNS) service provider.

The attack took down a large number of major websites, including Netflix, Twitter, Amazon, CNN and more.

zdnet-iot-brian-krebs.jpg
11 of 16 White House Photo

IoT hackers vs. journalists

Around the same time, the Mirai botnet targeted security expert and blogger Brian Krebs of KrebsOnSecurity.com with a massive, 623 Gbps DDoS attack. It was purportedly launched in retribution for a Krebs story that led to the arrest of two Israeli teenagers.

Akamai dropped its pro bono support for Krebs' website as a result, as the cost of defending against the attacks rose into the millions of dollars. His site is now protected by Google's Project Shield.

zdnet-iot-paras-jha.jpg
12 of 16 LinkedIn

Is this Anna Senpai?

In a lengthy blog posting, Krebs singled out Rutgers University student Paras Jha as Anna Senpai, the person allegedly behind the Mirai worm who attacked his site.

According to Krebs' report, Jha has connections to the Minecraft DDoS protection racket. For his part, Jha has not been charged with a crime, though he has been questioned by the FBI regarding the attack.

zdnet-iot-liberia.jpg
13 of 16 Shutterstock / Fabian Plock

A major attack against Liberia

But that's not all. The Mirai Botnet is also responsible for taking down the entire internet infrastructure in Liberia in a November 2016 DDoS attack.

More than 600 Gbps of data clogged the country's lone undersea cable, causing Liberia's net access to flicker in and out for two weeks.

zdnet-iot-trump.jpg
14 of 16 @realDonaldTrump

In which the IoT botnet attempts to influence an election

The Mirai botnet attacked the website of Donald Trump twice on Sunday, Nov. 6 and again on Monday, November 7. On Monday, the botnet also launched a similar attack against Hillary Clinton's website. Neither was taken offline.

Another pre-election attack targeted a phone bank company, with negative effects on both Republican and Democratic campaigns.

zdnet-iot-gamer.jpg
15 of 16 Shutterstock / Africa Studio

Leet Botnet: Mirai's successor

Already, an even greater IoT threat than Mirai has been identified. On December 21, 2016, the Imperva Incapsula network was targeted with a 650 Gbps DDoS blast.

The company believes that the attacker, unable to resolve the IP address of his intended victim, simply launched an attack against the anti-DDoS network as a whole to achieve his end.

zdnet-iot-homesecurity.jpg
16 of 16 PHOTOGraphicss/Getty Images/iStockphoto

What can you do to stop the IoT botnet?

How can you protect yourself -- and others -- against these IoT attacks?

The first step is to make sure your own devices don't wind up getting caught up in a botnet. Change the default settings on your routers, remote access cameras, and other internet-facing devices. Be sure to update the firmware on your IoT devices, too.

IoT device manufacturers, meanwhile, need to pay more attention to security themselves and better encourage end users to take this action.

Related Galleries

Every new Alexa device: Scenes from Amazon's event [in pictures]
alexa-event-04.png

Related Galleries

Every new Alexa device: Scenes from Amazon's event [in pictures]

Netgear Orbi RBK752 tri-band Gigabit Wi-Fi 6 mesh
Netgear Orbi RBK752

Related Galleries

Netgear Orbi RBK752 tri-band Gigabit Wi-Fi 6 mesh

The biggest Internet of Things, smart home hacks of 2019
11.jpg

Related Galleries

The biggest Internet of Things, smart home hacks of 2019

Technology we hate with a passion
inline-i-1-conference-call-in-real-life.jpg

Related Galleries

Technology we hate with a passion

The future of food includes self-driving tractors, precision agriculture, robots, AI, and IoT
deere-10-2.jpg

Related Galleries

The future of food includes self-driving tractors, precision agriculture, robots, AI, and IoT

Pictures: Inside Lenovo's new Beijing campus
lenovo-campus-intro.jpg

Related Galleries

Pictures: Inside Lenovo's new Beijing campus

16 office furniture upgrades and other work space must-haves
image-2018-11-06-at-4-43-18-am.jpg

Related Galleries

16 office furniture upgrades and other work space must-haves