Main contact: Veronica Valeros, veronica.valeros@aic.fel.cvut.cz, @verovaleros
The number of Internet of Thing devices connected to the Internet keeps growing and attackers are not slowing down. Since IoT devices flooded the market, it didn’t take long to realize that they came poorly configured and could be exploited. Attackers quickly adapted and leveraged this new opportunity where they could easily create very large botnets very fast. Which are those botnets? What does the IoT threat landscape looks like? How does this malware behave? How are they different from traditional botnets?
IoT Malware Timeline
The goal of the first stage is to create a timeline of IoT malware with all the existing families until today. Methodology:
For every IoT collect all meaningful blogs and reports about it.
Document the resources found.
Find the first mention of the malware and determine a possible year of appearance.
Check the resources for other possible malware names or aliases
Repeat.
There’re a lot of individual blogs and reports in the area. Sometimes getting all information together is a bit hard. We are publishing iterative versions of this timeline to get feedback from the community, corrections, and improvements.
Timeline 1.0 [Blog] [Low Res] [High Res] [PDF]
C&C Protocols
One of the things that we were interested in understanding, is what are the protocols used for command and control by this malware. The following graph is a work in progress of what we have so far, it has inconsistencies, and errors, however it gives a quick preview of our current work.
![[Low Res]](/s/IoT-Research-Timeline-10.jpg){kind=link}
![[High Res]](/s/IoT-Research-Timeline-10-HR.jpg){kind=link}
List of IoT Malware Included in the Timeline
|Year|Name / Alias | |----|-------------------------------------------------------------| |2008|Hydra | |2009|Psyb0t / NetworkBluePill | |2010|Chuck Norris | |2011|Umbreon / Umreon / Rebonum / Neobrum | |2012|Carna Botnet | |2012|LightAidra / Linux Aidra | |2013|Tsunami / Kaiten | |2013|Linux Darlloz / Zollard | |2014|Gafgyt / BASHLITE / Lizkebab / Torlus / Qbot / LizardStresser| |2014|Spike / Dafloo / MrBlack / Wrkatk / Sotdas / AES.DDoS | |2014|TheMoon | |2014|Zendran | |2014|Linux.Wifatch / Ifwatch / REINCARNA | |2015|Linux Moose / Elan | |2016|VPNfilter | |2016|Mirai | |2016|KTN-RM / Remaiten | |2016|Hajime | |2016|LUABot | |2016|IRCTelnet / LinuxIRCTelnet / NewAidra | |2016|NyaDrop | |2017|Amnesia | |2017|Linux.MulDrop.14 | |2017|BrickerBot | |2017|Persirai | |2017|Satori | |2017|LinuxProxyM | |2017|IoTroop / Reaper / IoTrooper | |2017|Masuta | |2017|GoScanSSH | |2017|Okiru | |2018|UPnProxy / ETERNALSILENCE | |2018|DoubleDoor | |2018|Hide ‘N Seek | |2018|JenX / Jennifer / Jen-X | |2018|Muhstik | |2018|PureMasuta | |2018|Torii | |2019|Ares | |2019|Mozi | |2019|Silex | |2019|Echobot | |2019|Moobot | |2019|Dark Nexus | |2019|Handymanny | |2020|Mukashi | |2020|Rhombus |