Three rookie Leet botnets, Amnesia botnets, and Brickerbot botnets after Mirai IoT botnets-Alibaba Cloud Developer Community

Today, Mirai has become the most popular IoT zombie program, appearing in many large attacks, but it is not the only one. Security companies have detected many other malware against IoT devices, which are also dangerous and have been used in actual attacks, such as Leet and Amnesia botnets. The Internet of Things botnet may be one of the most frightening dangers in the threat field, while IoT devices that lack reasonable configuration and have security vulnerabilities are most popular with hackers.

In August 2016, the security research team MalwareMustDie analyzed a new type of ELF Trojan backdoor sample, which is called ELF Linux/Mirai and is specifically designed for IoT devices.

This blog post introduces the major internet of things botnets that have been discovered recently for actual attacks and analyzes the related attack scenarios.

Leet botnet

before Christmas last year, on the morning of December 21, experts from Imperva company detected a large-scale attack against the company. This large DDoS attack was launched by Leet botnet with a peak traffic of 650 Gbit/s. The goal of the botnet is to Imperva Incapsula several arbitrary broadcast IP addresses in the network.

After investigating the attack, experts found that the botnet consists of thousands of controlled IoT devices. The attack is not targeted at a specific customer of the company. It is likely that the attacker cannot resolve the attack because the Incapsula protection agent hides the IP address of the victim. " Imperva analysis released

" why are attacks not targeted at specific customers , it is difficult to draw a conclusion. The most likely cause is that the attacker cannot parse the actual victim's IP address, because of these address quilt Incapsula the proxy is hidden,

Incapsula detected two obvious DDoS attacks. The first attack lasted for 20 minutes with a peak traffic of 400 Gbit/s. The second attack lasted for about 17 minutes with a maximum traffic of 650 Gbit/s.

" first time DDoS the attack lasted about 20 minutes , peak Traffic 400 Gbps . This attack did not achieve any actual results, so the attacker made a comeback and launched a second attack. This time, the botnet started 650 Gbps the DDoS traffic, number of packets per second ( Mpps ) da 1.5 billion. " in the same analysis.

Both attacks failed, but because hackers used deceptive IP addresses, researchers were unable to trace the real source of attacks.

After analyzing the content of the malicious traffic packet, it is found that the attack is initiated by Leet botnet, and the malicious program is named by the "signature" in the packet. Imperva analysis,

" we first notice that attackers in some normal size SYN the newspaper left various ' signature ' . These messages TCP in the header options, all the values are carefully arranged and assembled '1337' . By the way, 1337 is a network term, refers 'leet' or 'elite' . "

experts also noted that large SYN packets (799 to 936 bytes) contain seemingly random strings, and some also contain IP address list fragments.

" this means that we face this malware is used to access local files ( sun and iptable list ), the generated packets are pieced together. "

ioT botnet Amnesia targets unpatched DVR

Amnesia botnet exploited the unfixed Remote Code exploitation vulnerability, which was Rotem Kerner by security researchers more than a year ago. Amnesia the goal of botnet is embedded system, especially DVR (digital video recorder) produced by Tongwei Digital Technology Co., Ltd in China. At present, the company has more than 70 brands of products sold to all over the world.

In March 2016, Kerner reported the detected vulnerability to the DVR manufacturer, but received no response. One year later, he decided to release the vulnerability details.

According to the relevant analysis of Palo Alto Networks(PAN) researchers, Amnesia is a variant of Tsunami botnet, Tsunami is used by cyber criminals to launch DDoS attacks as a backdoor of a download program/IRC Botnet.

According to the network scan results of PAN, the above vulnerabilities have not been fixed, and about 227,000 DVR devices worldwide are affected by this vulnerability.

" according to our scan data ( as shown in the following illustration ), this vulnerability has affected the world 22.7 10,000 devices , taiwan, the United States, Israel, Turkey and India are the hardest hit areas. , " PAN said in an analysis released.

Amnesia, a botnet exploits a remote code execution vulnerability, which allows attackers to fully control devices.

The Censys search engine was used for analysis and more than 700,000 IP addresses were obtained.

" in addition , use 'Cross Web Server' characteristics , we found that there are 22.7 more than ten thousand devices may come from Tongwei Digital Technology Co., Ltd. We're still here and this keyword is searched on the website, and the two websites respectively return about 5- ten thousand and 70.5 ten thousand IP address, ”PAN the company said.

experts believe that Amnesia botnets is extremely complex due to the adoption of escape technology. Malware researchers believe that Amnesia botnet is the first Linux Internet of Things malware that uses virtual machine evasion technology to evade malware analysis sandboxes.

"Virtual Machine evasion technology is more common in Microsoft Windows and Google Android malware. Similarly, Amnesia try to check whether it is running on VirtualBox, VMware, and QEMU-based virtual machines. If these environments are detected, Amnesia will delete all files in the file system to eliminate the virtualized Linux system."

the analysis said, "This not only affects the Linux malware analysis sandbox, but also affects some QEMU-based Linux servers in VPS or public cloud."

PAN experts speculate that Amnesia botnets are expected to become one of the major botnets in the threat field and can be used for large-scale attacks.

Brickerbot permanently destroys IoT devices

A few weeks ago on March 20, Radware researchers discovered a new botnet. This botnet has many similarities with Mirai botnet and is named Brickerbot. The main difference between Mirai botnet and Brickerbot is that the latter's malware can cause permanent damage to improperly configured IoT devices.

Brickerbot launched an attack on honeypots deployed by Radware for malware analysis. Through the deployment of targeted honeypot server discovery, BrickerBot attacks from 1895 IP addresses around the world were detected, and 333 attempts were detected through Tor network attacks.

" within four days, Radware the Honeypot records from all over the world 1895 times PDoS attack. The only purpose is to invade IoT devices and destroy their memory. " according to Radware analysis report, " two paths ( Internet/TOR , BrickerBot.1/BrickerBot.2 ), the difference is about one hour. BrickerBot.2 implementation PDoS , more thorough, the position is hidden in Tor export node. "

Brickerbot botnet brute-force attacks on IoT devices through Telnet. Mirai botnet also used this technology.

Bricker is difficult to analyze because it does not download binary, which means Radware experts cannot retrieve the complete list of secrets for brute-force use of malicious software. Malware researchers can only observe that the username/password for the first login is root/vizxv.

" Bricker do not download binary, therefore Radware unable to obtain the complete list of brute-force attack credentials. You can only record first landing user name / the password is root/vizxv . " the consultant added.

Experts explained that malicious software is aimed at Linux-based IoT devices running on BusyBox. The Telnet ports of these devices are open and exposed to the Internet.

PDoS attacks originate from a limited number of IP addresses. The attacked devices are all devices with port 22 and running the old version of Dropbear SSH service. Most devices attacked by botnets are identified as Ubiquiti by Shodan.

Malicious code first obtains access to the device, then erases the device memory by using the rm -rf /* command, disables TCP timestamps, and limits the maximum number of kernel threads to one.

Brickerbot the malicious soft refresh of all iptables firewall and NAT rules, and add a rule to delete all outgoing packets. Brickerbot attempt to erase all code on the affected IoT device and make it unavailable.

Radware experts provide the following suggestions on how to protect IoT devices:


unfortunately, the number of IoT botnets will continue to increase. These powerful infrastructures are very flexible, and criminals can use them to achieve many criminal purposes. Most IoT devices exposed on the Internet are not secure enough, which is one of the biggest problems in today's IT industry. IT vendors must ensure the security of their IoT devices. For more information, see the IoT security white paper.


Selected, One-Stop Store for Enterprise Applications
Support various scenarios to meet companies' needs at different stages of development

Start Building Today with a Free Trial to 50+ Products

Learn and experience the power of Alibaba Cloud.

Sign Up Now