'InterPlanetary Storm' Botnet Infecting Mac, Android DevicesResearchers Describe How Malware Is Targeting Broader Range of Devices
A recently updated version of the "InterPlanetary Storm" botnet is now infecting Mac and Android devices as well as those running Windows and Linux, researchers at Barracuda Networks say.
The botnet, which has infected more than 13,000 devices in 84 countries worldwide, continues to grow, according to Barracuda. The majority of the infections are in Asia, although some have been spotted in the U.S., Canada, Europe and Brazil.
The updated version of the botnet attempts to compromise devices through the use of a dictionary attack - a type of brute force method that guesses passwords - aimed against SSH servers, Barracuda Networks researchers say. This is similar to attacks used to spread FritzFrog, another type of peer-to-peer botnet that also attacks SSH services (see: 'FritzFrog' P2P Botnet Targets SSH Servers).
The InterPlanetary Storm botnet can also infect devices by taking advantage of unsecured or open Android Debug Bridge servers - command-line tools developers can use to connect to devices, according to the research report.
"The malware detects the CPU architecture and running OS of its victims, and it can run on ARM-based machines, an architecture that is quite common with routers and other [internet of things] devices," Erez Turjeman, a researcher with Barracuda, notes in the report published Thursday.
The botnet could be used to mine for cryptocurrency or to start distributed denial-of-service attacks or other large-scale attacks, the report states.
The first versions of the InterPlanetary Storm botnet that appeared in May 2019 targeted Windows-based devices. By June 2019, however, the malware could also compromise Linux devices.
The latest version, which Barracuda detected in August, has expanded to target Macs as well as IoT devices, such as televisions running the Android operating system, according to the report. The botnet is also targeting vulnerable Linux-based routers with poorly configured SSH services.
The latest InterPlanetary Storm botnet is written in the Go programming language. The operators of the malware also use the Go implementation of libp2p, a type of framework that allows developers to write decentralized P2P apps.
"The malware is called InterPlanetary Storm because it uses the InterPlanetary File System (IPFS) p2p network and its underlying libp2p implementation," the report notes. "This allows infected nodes to communicate with each other directly or through other nodes (i.e., relays).”
After spreading through vulnerable SSH servers or unsecured Android Debug Bridge servers, InterPlanetary Storm infects devices, and then the malware scans for honeypots to help avoid detection, according to the report.
The botnet also receives auto-updates from its command and control server and kills other processes on the compromised devices, such as debuggers and other types of malware. In this way, it maintains its presence and eliminates competition, according to the report.
About 59% of infected devices are in Hong Kong, South Korea or Taiwan, according to the report. Another 8% are located in Russia and Ukraine, 6% in Brazil and 5% in the U.S. and Canada.
Other Botnet Activity
In September, IBM's X-Force unit reported that Mozi, a relatively new peer-to-peer botnet, accounted for 90% of the global IoT network traffic that the company tracks. This botnet targets consumers' IoT devices as well as connected devices used by enterprises (see: Researchers Find Mozi Botnet Continues to Grow).
The firm Cado Security in August identified a cryptomining botnet that can steal Amazon Web Services user credentials (see: Cryptomining Botnet Steals AWS Credentials).