Thousands of infected IoT devices used in for-profit anonymity service

A stylized human skull over a wall of binary code.

Enlarge (credit: Aurich Lawson / Ars Technica)

Some 9,000 devices—mostly running Android, but also the Linux and Darwin operating Systems—have been corralled into the Interplanetary Storm, the name given to a botnet whose chief purpose is creating a for-profit proxy service, likely for anonymous Internet use.

The finding is based on several pieces of evidence collected by researchers from security provider Bitdefender. The core piece of evidence is a series of six specialized nodes that are part of the management infrastructure. They include a:

  • proxy backend that pings other nodes to prove its availability
  • proxy checker that connects to a bot proxy
  • manager that issues scanning and brute-forcing commands
  • backend interface responsible for hosting a Web API
  • node that uses cryptography keys to authenticate other devices and sign authorized messages
  • development node used for development purposes

Keeping it on the down-low

Together, these nodes “are responsible for checking for node availability, connecting to proxy nodes, hosting the web API service, signing authorized messages, and even testing the malware in its development phase,” Bitdefender researchers wrote in a report published on Thursday. “Along with other development choices, this leads us to believe that the botnet is used as a proxy network, potentially offered as an anonymization service.”

Read 9 remaining paragraphs | Comments