Machines are infected by scanning for SSH—or secure shell—servers and when found attempting to guess weak passwords. Malware written in the Go programming language then implements a botnet with an original design, meaning its core functionality is written from scratch and doesn’t borrow from previously seen botnets.
The code integrates open source implementations of protocols including NTP, UPnP, and SOCKS5. The code also uses the lib2p library for peer-to-peer functionality. The code further uses a lib2p-based network stack to interact with the Interplanetary File System, which is often abbreviated at IPFS.
“Compared to other Golang malware we have analyzed in the past, IPStorm is remarkable in its complex design due to the interplay of its modules and the way it makes use of libp2p’s constructs,” Thursday’s report said using the abbreviation for Interplanetary Storm. “It is clear that the threat actor behind the botnet is proficient in Golang.”
Once run, the code initializes an IPFS node that launches a series of lightweight threads, known as Goroutines, that in turn implement each of the main subroutines. Among other things, it generates a 2048-bit RSA keypair that belongs to the IPFS node and is used to uniquely identify it.
By the bootstraps
Once a bootstrap process begins, the node is now reachable by other nodes on the IPFS network. Different nodes all use components of lib2p to communicate. Besides communicating for anonymous proxy service, the nodes also interact with each other for sharing malware binaries used for updating. To date, Bitdefender has counted more than 100 code revisions, an indication that IPStorm remains active and receives robust programming attention.
Bitdefender estimated that there are about 9,000 unique devices, with the vast majority of them being Android devices. Only about 1 percent of the devices run Linux, and only one machine is believed to run Darwin. Based on clues gathered from the operating system version and, when available, the hostname and user names, the security firm has identified specific models of routers, NAS devices, TV receivers, and multipurpose circuit boards and microcontrollers (e.g., Raspberry Pis) that likely make up the botnet.
Many criminals use anonymous proxies to transmit illegal data, such as child pornography, threats, and swatting attacks. Thursday’s report is a good reminder why it’s important to always change default passwords when setting up Internet-of-things devices and—when possible—to also disable remote administrative access. The cost of not doing so may not only be lost bandwidth and increased power consumption, but also criminal content that might be traced back to your network.