/iot-malware

Malware source code samples leaked online uploaded to GitHub for those who want to analyze the code

Primary LanguageC

IoT Malware

If you find this repo useful in your research, please consider citing:

@misc{iot-malware-2017,
  author = {Fei Ding},
  title = {IoT Malware},
  year = {2017},
  howpublished = {\url{https://github.com/ifding/iot-malware}}
}

@inproceedings{ding2020deeppower,
  title={DeepPower: Non-intrusive and Deep Learning-based Detection of IoT Malware Using Power Side Channels},
  author={Ding, Fei and Li, Hongda and Luo, Feng and Hu, Hongxin and Cheng, Long and Xiao, Hai and Ge, Rong},
  booktitle={Proceedings of the 15th ACM Asia Conference on Computer and Communications Security},
  pages={33--46},
  year={2020}
}

I'm not the author of any of the code available here. This repository contains malware source code samples leaked online (and found in multiple other sources), I uploaded it to GitHub to simplify the process of those who want to analyze the code.

Any actions and/or activities related to the material contained within this repository is solely your responsability. Misuse of the information in this repository can result in criminal charges being brought against the persons in question. I will not be held responsible in the event any criminal charges are brought against any individuals misuing the code in this repository to break the law.

This repository does not promote any hacking related activity. All the information in this repository is for educational purposes only.

Evolution

The list of IoT botnet malwares discussed below is not complete:

  • Linux/Hydra is the earliest known malware targeting IoT devices. It is an open source botnet framework released in 2008. It was designed for extensibility and features both a spreading mechanism and DDoS functionality.

  • LightAidra/Aidra is a IRC-based mass scanning and exploitation tool support on several architectures, namely MIPS, MIPSSEL, ARM, PPC, x86/86-64 and SuperH. Malware is designed to search open telnet ports that could be accessed using known default credentials. The source code of LightAidra is freely available on the Internet as open source project.

  • Linux.Wifatch is an open-source malware which infects the IoT devices with weak or default credentials. Once infected, it removes other malwares and disables telnet access while logging the message "Telnet has been closed to avoid further infection of theis device. Please disable telnet, change telnet passwords, and/or update the firmware." in the device logs. Wifatch uses peer-to-peer network to update the malware definition and deletes remnants of malware which remain in the IoT devices.

  • BASHLIFE/Lizkebab/Torlus/gafgyt is one of the popular malware which infects Linux based IoT devices to launch DDoS attacks. It was reported that BASHLIFE is responsible for enslaving over 1 million IoT devices, constituting mostly of Internet enabled cameras and DVRs. It is capable of launching attack of up to 400 Gpbs. Most BASHLIFE attacks are simple UDP, TCP floods and HTTP attacks. BASHLIFE infect a IoT device by brute-forcing its telnet access using known default credentials. One interesting aspect of BASHLIFE is that malware payload deployed in IoT devices has the BASHLIFE's C2s IP addresses hard-coded into it and are easier to monitor. Most of the infected devices are located in Taiwan, Brazil and Columbia. The source code of BASHLIFE was partly leaked in early 2015 and has led to many variants. BASHLIFE is considered the predecessor of Mirai and is in direct competition for vulnerable IoT real estate.

  • Mirai is one of the most predominant DDoS IoT botnet in recent times. Mirai means "the future" in Janpanese. Mirai botnet is definitely the next step in IoT DDoS malwares, however not as sophisticated as Remaiten but most effective. Mirai botnet is famous for being used in the record breaking 1.1Tbps DDoS attack with 148000 IoT devices. Mirai targets mostly CCTV cameras, DVRs, and hoem routers. Since the release of the Mirai source code, the number of IoT infected devices has increased from 213000 to 483000 in just two weeks. Mirai generates floods of GRE IP, GRE ETH, SYN and ACK, STOMP, DNS, UDP, or HTTP traffic against a target during a DDoS attack. More recently, Mirai has been found to be enhanced to infect Windows devices, helping hackers hijack even more devices. This enhanced Mirai could also identify and compromise database services like MySQL and Microsoft SQL running on different ports to create new admin "phpminds" with the password "phpgodwith" allowing the hackers to steal the database. The awareness of IoT botnets in recent times attributes to Mirai and the volume of traffic generated during its DDoS attacks.

Disclaimer

This repository is for research purposes only, the use of this code is your responsibility.

I take NO responsibility and/or liability for how you choose to use any of the source code available here. By using any of the files available in this repository, you understand that you are AGREEING TO USE AT YOUR OWN RISK. Once again, ALL files available here are for EDUCATION and/or RESEARCH purposes ONLY.