IoT Botnet Warning Issued by SANS Institute

The SANS institute has issued an IoT botnet warning and has urged security researchers to start monitoring the Internet for attempted IoT device attacks to gather important information on new attack patterns. The information will be used to help tackle the growing problem.

IoT devices now include everything from DVR recorders to washing machines and fridges. Hackers are now attacking these devices, not to obtain data stored on the devices, but to create massive botnets to use in DDoS attacks.

The IoT botnet warning comes after two massive DDoS attacks were conducted in the space of one week. First Krebs on Security was taken down following a huge 620Mbps DDoS attack. That attack was the largest ever reported. Until just a few days later when the French Web host OVH was attacked with a reported blast in excess of 1Tbps. OVH claims that the botnet used for the attack was capable of conducting DDoS attacks of 1.5Tbps.

According to SANS Institute researcher Johannes Ullrich, scans for unsecured IoT devices are now being conducted at unprecedented rates. Ullrich ran a test to find out just how often searches and attacks on IoT devices are taking place. The test involved connecting an old DVR recorder to a cable modem and waiting to see how long it took for the device to be attacked, with Ullrich recording all packets going in and out of the system.

It only took seconds for the first attempted attack to take place. Ullrich said “I didn’t have to wait long. The IP address [was] hit by telnet attempts pretty much every minute. Instead of having to wait for a long time to see an attack, my problem was that the DVR was often overwhelmed by the attacks, and the telnet server stopped responding. I had to reboot it every few minutes.” He said that a couple of times and hour the attacker used the correct password.

The attacker checked to see if a honeypot was being used and checked to make sure the device was not connected to a router. The attacker then conducted some fingerprinting and downloaded binaries to the device before deleting them and any others that were left by other hackers. The attacker then started conducting scans for additional IoT devices at a rate in excess of 100 connections a second.

Ullrich reports that he recovered two binaries. “The first one downloads additional malware via a simple TCP connection, while the second one appears to include the entire telnet scanner.”

Ullrich notes in a recent blog post that many IoT devices have default passwords set. This makes attacks too easy for hackers. The passwords are widely available and even the seemingly more complex passwords used by some manufacturers are far from secure. Ullrich says “it turns out that some DVRs just prepend “7ujMko0” to the web based password,” for example, 7ujMko0admin.

He also reported that in the past few weeks there has been a surge in attempted attacks on DVR machines that have default passwords set. Attacks were conducted at a rate of around 1-3 per day in early September to a peak of 80+ per day at the end of September.

Ullrich’s test was only run on an old DVR. There is a myriad of other IoT devices are connected to the Internet. You can be sure that attempts are being made to infect those devices and build up botnets capable of launching devastating attacks on targets. It would appear that 1Tbps+ botnet attacks could soon become the norm.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of