Malware targeting Internet of Things or IoT devices is becoming more and more prevalent, with new families discovered every month, all working in the same way.
IoT malware, usually targeting various Linux flavors used to power these devices, is rarely a danger to the people or companies behind these devices, but everyone else.
All IoT malware discovered in the past two years has been seen doing the same thing. The infection starts with a crook or automated service employing brute-force attacks, trying to guess the IoT device’s admin password by trying thousands of username-password combinations.
If users haven’t changed their device’s default credentials, then crooks usually get access to the device after a few seconds. At this point, the malware alters the device by adding special code to communicate with one of its command and control servers, ensnaring it into a worldwide botnet, mainly used to execute DDoS attacks, relay proxy traffic for crooks, and brute-force other IoT devices.
In August, Kaspersky discovered that Linux-based botnets had become the most popular DDoS botnets on the market.
Only in targeted attacks, you’ll see someone use many IoT device as a pivot point inside a network, but generally, in the vast majority of cases, IoT devices are used as bots for DDoS attacks.
All of this is simplified by device owners who don’t secure their devices with custom passwords. According to Symantec, the table below shows the most often encountered passwords in IoT devices around the world.
|Top usernames||Top passwords|
As you can see for yourself, most are easy guesses and are the standard passwords for equipment running on Raspberry Pi platforms, Ubuntu, or others.
According to Symantec, most of today’s IoT-malware comes with cross-platform support, and can target all major IoT hardware platforms such as x86, ARM, MIPS, and MIPSEL platforms. In some cases, there were malware families that went beyond these popular platforms and also targeted PowerPC, SuperH and SPARC architectures.