Sophos: IoT Malware Growing More Sophisticated

ENISA botnet report, Mirai

The malware targeting connected devices is using increasingly complex techniques, Sophos has found

The Mirai botnet that gained notoriety last year is not an isolated case of malware targeting Internet-connected devices, with such attacks generally rising and using increasingly sophisticated techniques to evade detection.

Attackers are increasingly making use of security holes in Linux to infect such devices, sometimes called the Internet of Things (IoT), with malware, according to SophosLabs’ 2017 forecast, which looks at significant trends in computer security.

HSBC, security

IoT attacks no longer theoretical

While IoT attacks aren’t new, they have been discussed largely as a theoretical problem until now, Sophos said.

That changed last autumn when Mirai was used as part of a distributed denial-of-service (DDoS) attack on DNS provider Dyn, which temporarily made high-profile websites such as Twitter, Paypal, Netflix and Reddit inaccessible.

Sophos said IoT devices are mainly being targeted by malware that looks for security holes in the variants of Linux that power most of the gadgets involved.

“Default passwords, out-of-date versions of Linux and a lack of encryption will continue to make these devices ripe for abuse,” Sophos said in the study.

The Linux attack software involved grew more complex throughout 2016, with one malware variant found to use high-level techniques such as consistent static updates, encrypted or obfuscated strings and UPX packer hacking to avoid detection by antivirus software.

The most common IoT malware was far simpler, however, instead simply targeting devices that used factory-default passwords.

Android, MacOS malware

That was the case with Linux/DDoS-BI, which was far more active than any other variant targeting IoT gadgets, Sophos said.

The company noted its honeypots detected a steady rise in the variant, from more than 100 by late October to around 466 the week of 20 January.

 It found malware increasingly using the Lua and Go languages, the latter – also referred to as “golang” – being an open-source language developed by Google engineers.

“Whatever happens in the next 12 months, one thing is clear: Golang… has seen a surge in popularity among tool writers,” Sophos said in the study.

IoT malware infects devices such as Internet-connected cameras and household items, with chancellor Philip Hammond warning over the weekend that kettles and fridges are at risk.

The paper also examined the increasing pervasiveness of Android malware and the appearance of MacOS malware that attempts to steal passwords or install ransomware.

More than 20 percent of the Android malware Sophos analysed during 2016 was from a single family, called Andr/PornClk, which makes money through advertisements and membership registrations and is difficult to remove, as it makes use of root privileges.

The company said MacOS is targeted far less frequently than Windows, but Mac software is often technically sophisticated and looks to steal data or provide covert remote access to thieves.

“Though it continues to see fewer malware and ransomware infections than Windows, MacOS saw its fair share in 2016, and we expect that trend to continue,” Sophos stated.

Do you know all about the Internet of Things? Take our quiz.