How zombie cameras took down Netflix... and an entire country's internet
Once used to harass Minecraft players and illicitly mine Dogecoin, the Internet of Things botnet -- a large, malware-infected collection of smart home cameras, DVRs, routers and more -- has since been turned into a powerful weapon by cybercriminals. Hackers have used large bursts of data from it to silence journalists, cause hundreds of millions in damage, and shut down an entire country's internet infrastructure.
Control of this growing botnet has passed from hacker to hacker over the past few years as it grows larger and more dangerous with time. Here's how the threat has evolved.
The weak security link
There's one thing that almost all Internet of Things attacks have in common: They all leverage the lax default security settings in consumer devices.
One of the earliest IoT scare stories dates back to August 2013, when a hacker gained remote access to an unsecured Foscam Baby Monitor and used the two-way mic to shout obscenities at a toddler. Many cameras remain unprotected and are easily searchable online.
The Early IoT Hacks: Baby Spying
Because so few people thought to secure these devices -- and because security was often an afterthought for manufacturers -- infected monitors and home security cameras make up the backbone of the IoT botnet.
Combined, cameras and set-top boxes (DVRs) represent 95 percent of the devices used in large IoT attacks. Unsecured home routers make up another 4 percent.
Dogecoin and IoT hacks
Hackers quickly began exploiting IoT vulnerabilities for financial gain. The Linux.Darlloz worm, first identified in November 2013, used infected routers and set-top boxes to mine virtual money.
A ZDNET article from March 2014 reports that the crooks had generated 42,438 Dogecoins and 282 Mincoins through the scheme -- less than $200 in total value.
Enter the Lizard
The IoT malware game changed again in September 2014 with the release of the LizardStresser (BASHLITE) malware. It uses common passwords such as "password" and "123456" to take over IoT devices via the Shellshock bug.
LizardStresser increased the size of the IoT zombie botnet. As of 2016, more than 1 million devices (including home routers) had been infected by a form of BASHLITE malware.
The first generation of IoT DDoS attacks
The LizardStresser botnet can launch distributed denial of service (DDoS) attacks at a rate of 400Gbps.
It's been used against targets ranging from large banks to telecom providers to government agencies, ZDNET reported. LizardStresser has also been used in DDoS attacks on Xbox Live and PlayStation Network.
Malware motivated by Minecraft money
With the IoT botnet growing, criminals devised a more profitable use for it: Selling DDoS attacks to the highest bidder. In late 2014, a hacking collective called Lizard Squad took control of the IoT botnet and sold access to an illegal control tool.
Private Minecraft servers were popular targets. Owners would pay to launch costly DDoS attacks on their competitors, hoping to lure their customers away to a purportedly more secure server.
A vigilante IoT attack?
With control of the IoT botnet swinging back and forth between hackers, a group of white hats tried to secure unprotected devices with "good malware." Released in November 2014, Linux.Wifatch infects IoT devices, scans for and deletes malware, and then closes up Telnet access to block future attackers.
Interestingly enough, the hackers hid a special message inside their code: "To any NSA and FBI agents reading my email: Please consider whether defending the US Constitution against all enemies, foreign or domestic, requires you to follow Snowden's example."
In August 2016, a hacker calling himself Anna Senpai took near monopolistic control of the IoT botnet via his Mirai malware. Named after an anime series, Mirai deletes previous IoT infections and replaces the malicious code with its own.
Like other IoT malware, Mirai leverages 60 common factory default usernames and passwords in its attacks. At its peak, Mirai was infecting 4,000 IoT devices per hour.
The most well-known Mirai attack in the U.S. happened on October 21, 2016. On that date, a record-breaking 1.2Tbps DDoS blast from 100,000 infected devices took down the servers of Dyn, a global domain name system (DNS) service provider.
The attack took down a large number of major websites, including Netflix, Twitter, Amazon, CNN and more.
IoT hackers vs. journalists
Around the same time, the Mirai botnet targeted security expert and blogger Brian Krebs of KrebsOnSecurity.com with a massive, 623 Gbps DDoS attack. It was purportedly launched in retribution for a Krebs story that led to the arrest of two Israeli teenagers.
Akamai dropped its pro bono support for Krebs' website as a result, as the cost of defending against the attacks rose into the millions of dollars. His site is now protected by Google's Project Shield.
Is this Anna Senpai?
In a lengthy blog posting, Krebs singled out Rutgers University student Paras Jha as Anna Senpai, the person allegedly behind the Mirai worm who attacked his site.
According to Krebs' report, Jha has connections to the Minecraft DDoS protection racket. For his part, Jha has not been charged with a crime, though he has been questioned by the FBI regarding the attack.
A major attack against Liberia
But that's not all. The Mirai Botnet is also responsible for taking down the entire internet infrastructure in Liberia in a November 2016 DDoS attack.
More than 600 Gbps of data clogged the country's lone undersea cable, causing Liberia's net access to flicker in and out for two weeks.
In which the IoT botnet attempts to influence an election
The Mirai botnet attacked the website of Donald Trump twice on Sunday, Nov. 6 and again on Monday, November 7. On Monday, the botnet also launched a similar attack against Hillary Clinton's website. Neither was taken offline.
Another pre-election attack targeted a phone bank company, with negative effects on both Republican and Democratic campaigns.
Leet Botnet: Mirai's successor
Already, an even greater IoT threat than Mirai has been identified. On December 21, 2016, the Imperva Incapsula network was targeted with a 650 Gbps DDoS blast.
The company believes that the attacker, unable to resolve the IP address of his intended victim, simply launched an attack against the anti-DDoS network as a whole to achieve his end.
What can you do to stop the IoT botnet?
How can you protect yourself -- and others -- against these IoT attacks?
The first step is to make sure your own devices don't wind up getting caught up in a botnet. Change the default settings on your routers, remote access cameras, and other internet-facing devices. Be sure to update the firmware on your IoT devices, too.
IoT device manufacturers, meanwhile, need to pay more attention to security themselves and better encourage end users to take this action.