Interplanetary Storm uses P2P networks, mainly on IoT devices with Android.
Around 9000 devices, mostly with the Android, Linux and Darwin operating systems, were integrated into the so-called “Interplanetary Storm” (the name of a botnet whose main purpose is to create a for-profit proxy service), which is presumably intended to be made available anonymously on the Internet.
They include:
“Together, these nodes are responsible for checking node availability, connecting to proxy nodes, hosting the Web API service, signing authorized messages, and even testing the malware in the development phase.”
This is what researchers from the Romanian manufacturer of anti-virus software packages “Bitdefender” wrote in a statement on Thursday published report. “This, along with other development decisions, leads us to believe that the botnet is being used as a proxy network, which may be offered as an anonymization service.”
It's not the first time researchers have found botnets used to provide networks for quasi-anonymous Internet use. Security journalist Brian Krebs berichtete already in 2008 about it.
Various Forscher have this also documented. One fact that the manufacturer Bitdefender found interesting at the time is that the anonymous proxy was advertised on the clearnet and not on the darknet forums.
Machines are infected by scanning for SSH or secure shell servers, if found they attempt to guess weak passwords. Malware written in the Go programming language then implements a botnet with an original design. This means that its core functionality has been rewritten from the ground up and is not inferred from previously seen botnets.
The code integrates open source implementations of protocols such as NTP, UPnP and SOCKS5. In addition, this uses the lib2p library for peer-to-peer functionality. In addition, a lib2p-based network stack is used to interact with the Interplanetary file system, which is often abbreviated to IPFS, is used.
“Compared to other Golang malware we have analyzed in the past, IPStorm is notable in its complex design due to the interaction of its modules and the way it takes advantage of libp2p constructs,” it said Thursday's report that used the acronym for "Interplanetary Storm." “It is clear that the threat actor behind the botnet has mastery of Golang.”
Bitdefender estimates that there are around 9.000 unique devices, the vast majority of which are Android devices. Only about 1 percent of devices run Linux. Only one machine is believed to be running Darwin. Based on clues collected from the operating system version and, if available, host and username, the security firm has identified certain models of routers, NAS devices, TV receivers and general-purpose circuit boards and microcontrollers (e.g. Raspberry Pis) that are likely to form the botnet.
Many criminals use anonymous proxies to transmit illegal data such as child pornography, threats and swatting attacks. Thursday's report is a good reminder why it's important to always change default passwords when setting up Internet of Things devices and, if possible, to also disable remote administrative access. The cost of not doing this can be not only lost bandwidth and increased power consumption, but also criminal content that could be traced back to your network.