According to researchers, the botnet includes more than 9,000 hosts (according to other sources, the number of infected devices exceeds 13,500), the overwhelming majority of which are running Android, and about one percent are running Linux and Darwin. According to the researchers, these are various routers, NAS, UHD-receivers, multifunctional boards (for example, Raspberry Pi) and other IoT devices. Most of the infected devices are located in Hong Kong, South Korea and Taiwan.
The researchers write that the purpose of the botnet can be guessed by the specialized nodes included in the malware's control infrastructure:
- a proxy server that pings other nodes to confirm their availability;
- a proxy checker program that connects to the bot's proxy server;
- a manager who is given commands for scanning and brute-force;
- a backend interface responsible for hosting the Web API;
- a node using cryptographic keys to authenticate other devices and sign authorized messages;
- node used for development.
In total, this guarantees checking the availability of nodes, connecting to a proxy, hosting a Web API, signing authorized messages and even testing malware at the development stage, the researchers say.
"All of this suggests that the botnet is being used as a proxy network, probably offered as an anonymization service," reads the Bitdefender report.
Interplanetary Storm is infected through SSH scanning and weak password guessing. The malware itself is written in the Go language, and the report emphasizes that its main functions were written from scratch, and not borrowed from other botnets, as is often the case. In total, the researchers found more than 100 changes in the malware code, that is, the development of Interplanetary Storm is in full swing.
The malware integrates the implementation of the open source protocols NTP, UPnP and SOCKS5, as well as the lib2p library for implementing peer-to-peer functionality. The malware also uses a lib2p-based networking stack to interact with IPFS.
“Compared to other Go malware we've analyzed in the past, IPStorm is notable for its complex design of module interactions and the way it uses libp2p constructs. It is clear that the attacker behind this botnet has a good command of Go, ”the experts summarize.