Center for Strategic Assessment and forecasts

Autonomous non-profit organization

Home / Defence and security / / Articles
Risks and threats in the Internet of things
Material posted: Publication date: 27-07-2019
In 2016 we caught them, collected statistics, and that's what happened in the end. We do not give forecasts, but merely stating how the risks have increased in this environment. Our analysts have prepared a scoping study, which are common threats for smart devices and Internet of things (IoT) as a whole. In the global network are recorded every day a huge number of devices, such as smart TVs, cameras, smart watches and toys, refrigerators, cars, fitness trackers, video recorders. Most of them are poorly protected from attacks, and even vulnerable.


Now the world network are not only computers, smartphones, tablets and routers, but also smart TVs, security cameras, smart watches, refrigerators, cars, fitness trackers, video recorders and even baby toys. The number of IOT devices already exceeds several billion, and every year their number grows.

Many of them are poorly or not protected against attacks. For example, to connect can be performed on simple or well-known pair "login — password", which is installed by default on hundreds of thousands of models. Their owners either don't think about changing is preset at factory settings, or can't do due to limitations of the producers themselves. Attackers gain relatively easy access to such devices, using the selection of combinations in the dictionary (the so-called brute force — brute force method). In addition, they can exploit vulnerabilities of installed on those operating systems.

In 2016 the company "Doctor Web" is closely monitoring the threats of the IOT. For this our specialists have developed a network of specialized bait — Animoto (from the word honeypot — a honeypot). These traps simulate different types of "smart" electronic devices and record attempts of their infection. Hanioti cover multiple hardware platforms, including ARM, MIPS, MIPSEL, PowerPC and Intel x86_64. They allow you to track the vectors of attacks to discover and examine new samples of malicious programs, improve mechanisms to detect them and to deal more effectively with them.

This material provides information about the detected attack on the smart device, as well as about the most common threats to Internet of things.


At the beginning of the observation of virus analysts recorded relatively low activity of malicious programs aimed at IOT devices. Four months of 2016, the specialists of "Doctor Web" revealed 729 590 attacks, however, just a year or 32 times more 23 741 581. After another 12 months later with 99 199 434. As for the current year, only for the first six months was committed 73 513 303 attack — almost the same number in 2018.

Dynamics detection Hanioti attacks shown on the chart:

In less than three years, the number of hacking attempts and infections of IOT devices rose 13 497%.

Attacks on "smart" devices was carried out from IP addresses located in more than 50 countries. Most of these were USA, Netherlands, Russia, Germany, Italy, UK, France, Canada, Singapore, India, Spain, Romania, China, Poland and Brazil.

The geographical distribution of sources of attacks and their percentage is shown in the following graph:

After successfully compromised devices, the attackers can upload to them one or more Trojans. The total number of unique malicious files detected by our traps during the observation period amounted to 131 412. The dynamics of their identification are shown below.

Smart devices are running on different processor architectures, and many malicious programs have versions for multiple hardware platforms. Among those who mimic our Hanioti, often attacks devices with ARM processors, MIPSEL and MIPS. This is well illustrated in the diagram:

According to Hanioti statistics, the most active malware family Linux.Mirai, which account for over 34% of attacks. Followed by boot loaders Linux.DownLoader (3% of attacks) and the Trojans Linux.ProxyM (1.5% of attacks). The top ten also includes malicious applications Linux.Hajime, Linux.BackDoor.Fgt, Linux.PNScan, Linux.BackDoor.Tsunami and Linux.HideNSeek. The percentage of the most active Trojans presented in the following illustration:

Malware that are attacking "smart" devices can be divided into several basic categories according to their basic functions:

  • Trojans for DDoS attacks (example: Linux.Mirai);
  • Trojans that distribute, download and install other malicious applications and auxiliary components (example: Linux.DownLoader, Linux.MulDrop);
  • the Trojans, allowing to remotely control the infected devices (example: Linux.BackDoor);
  • Trojans that turns devices into proxies (example: Linux.ProxyM, Linux.Ellipsis.1, Linux.LuaBot);
  • Trojans for mining of cryptocurrencies (example: Linux.BtcMine);
  • other.

However, most modern malware is a feature-rich threat because many of them can combine several functions.

Trends in threats to "smart" devices

  • Because of the availability of the source code of Trojans, such as Linux.Mirai, Linux.BackDoor.Fgt, Linux.BackDoor.Tsunami etc., increasing the number of new malicious programs.
  • The emergence of a growing number of malicious applications written in "non-standard" programming languages such as Go and Rust.
  • Cyber criminals available information about vulnerabilities, exploitation of which helps to infect smart devices.
  • Remains popular miners, mining cryptocurrency (mainly Monero) on devices the Internet of things.

The following are the most common and notable Trojans for Internet of things.

Read more about threats to the Internet of things

Linux.Mirai is one of the most active Trojans attacking IOT devices. The first version of this malicious application appeared in may 2016. Later, his source code was posted, so he quickly a large number of versions, created by different writers. Now Linux.Mirai — the most common Trojan for Linux, which runs on many processor architectures such as x86, ARM, MIPS, SPARC, SH-4, M68K etc.

After infection of the target device Linux.Mirai connect to the remote server and awaited his further commands. The main function of this Trojan — conducting DDoS attacks.

The following graph shows the evolution of discovery Hanioti active copies of this malware app:

Various modifications of Linux.Mirai the most active in China, Japan, USA, India and Brazil. Below are countries where during the observations it was recorded the maximum number of bots of this family.


Another dangerous malicious application that infects the "smart" devices, is Linux.Hajime. This Trojan is known to virus analysts, with the end of 2016. He works on architectures ARM, MIPS and MIPSEL also realize the function of network worm, spreads using the Telnet Protocol. Infected devices are included in the decentralized P2P botnet and used for further infection of available objects in the Network. The malware blocks access for other malicious programs to have successfully attacked device, allowing them ports 23, 7547, 5555, and 5358.

The peak of activity in Linux.Hajime was at the end of 2016 — beginning of 2017, when the maximum number of simultaneously active copies of the Trojans of this family exceeded 43 000. After that malware activity has fallen and continues to decline gradually. Now the number of active bots Linux.Hajime does not exceed a few hundred.

The most widespread these Trojans got in Brazil, Turkey, Vietnam, Mexico and South Korea. The map shows countries with maximum number of active Trojans Linux.Hajime, which was recorded during the observations.


The five of Trojans designed to infect devices of the Internet of things, is Linux.BackDoor.Fgt, which is distributed from autumn 2015. Different versions of this malicious app support on architectures MIPS, SPARC, etc. and work in OS Linux. The source code for Linux.BackDoor.Fgt is in the public domain, why it is so popular among virus writers.

These backdoors are distributed using Telnet and SSH protocols, selecting logins and passwords for access to the attacked facilities. The main purpose of the malware — carrying out DDoS attacks and remote control of the infected devices.


The Trojan Linux.ProxyM is one of the malware that cybercriminals use to ensure their own anonymity on the Internet. It starts to infect Linux devices SOCKS proxy server through which cyber criminals to miss network traffic. The specialists of "Doctor Web" found the first version of Linux.ProxyM in February 2017, and this Trojan is still active.


Linux.Ellipsis.1 — another Trojan designed to transform your IOT devices and computers running Linux in proxy servers. He caught analysts "Doctor Web" in 2015. After running, it deletes log files and blocks their re-creation removes some system utilities and also disables the device to establish a connection with defined IP addresses. If the Trojan detects suspicious traffic from one of the addresses, it also brings this IP in black list. In addition, the command and control server Linux.Ellipsis.1terminates applications that are connected to prohibited locations.


The company "Doctor Web" found the first version of the Trojans Linux.LuaBot in 2016. These malicious applications written in scripting language Lua, and support device Intel x86_64 architecture), MIPS, MIPSEL, Power PC, ARM, SPARC, SH4, and M68k. They consist of a few dozen scripts modules, each of which performs a specific task. The Trojans are able to control server updates to those modules and load the new one. Linux.LuaBot is a multifunctional malicious application. Depending on the modifications of malicious applications and scripts that attackers can use them to remote control the compromised devices as well as create proxies for anonymization on the Network.


For intruders, mining (extraction) cryptocurrency is one of the main reasons for infecting the devices of the Internet of things. In doing so, they help the Trojans Linux.BtcMine and other malicious applications. One of them is Linux.BtcMine.174 — the specialists of "Doctor Web" found at the end of 2018. It is designed for mining Monero (XMR). Linux.BtcMine.174 is a script written in shell sh. If he wasn't running as the superuser (root), the malware tries to escalate privileges to several exploits.

Linux.BtcMine.174 looking for processes antivirus programs and attempts to terminate them and delete files of these programs from the device. Then it downloads and launches several additional components, including a backdoor and a rootkit module, and then runs the program-miner.

The Trojan is prescribed in startup, so he is not afraid to restart the infected device. In addition, it periodically checks if the process miner. If necessary he initiates it again, providing continuity of mining cryptocurrency.


The Trojans Linux.MulDrop used to distribute and install other malicious applications. They work on many hardware architectures and device types, but in 2017 the virus analysts "Doctor Web" found Trojan Linux.MulDrop.14, which deliberately attacked the Raspberry Pi computers. This the dropper is a script in the body which stores an encrypted program — miner cryptocurrency. Once launched, the Trojan unpacks and starts the miner, then tries to infect other devices available in the network environment. To prevent "competitors" to the resources of infected devices, Linux.MulDrop.14 blocks the network port 22.


Malware Linux.HideNSeek infect smart devices, computers and servers running Linux, uniting them in a decentralized botnet. To spread this Trojan generates IP addresses and attempts to connect to them using the selection of usernames and passwords in the dictionary, and a list of known combinations of authentication data. Moreover, it is able to exploit various vulnerabilities in the equipment. Linux.HideNSeek can be used to remote control the compromised devices to run commands of the attackers, copy files, etc.


Unlike most other malware, Trojans Linux.BrickBot is not designed to receive any benefit. It is the vandals who created to disable computers and smart devices, they are known from 2017.

The Trojans Linux.BrickBot is trying to infect the device using the Telnet Protocol, selecting them logins and passwords. Then they try to wipe their modules permanent memory, reset network settings, block all connections and reboot. As a result, for the restoration of damaged facilities will require a firmware upgrade or even replacement of components. These Trojans are rare, but they are extremely dangerous.

At the end of June 2019 spread Linux.BrickBot.37, also known as Silex. He acted the same way as other members of the family of Linux.BirckBot — erased data from storage devices, deleted the network settings and performed a reboot, after which they could not correctly start up and operate. Our traps have recorded over 2600 attacks of this Trojan.


Millions of high-tech devices, which are increasingly used in everyday life, are actually small computers, with their inherent disadvantages. They are vulnerable to the same attacks and vulnerabilities due to the features and limits of construction to protect them can be much more difficult or even impossible. In addition, many users are not aware of the potential risks and still see "smart" devices as safe and comfortable "toys".

The IOT market is actively developing and largely repeats the situation with the beginning of mass distribution of personal computers, when the mechanisms of dealing with threats to for them only took shape and improved. While the equipment manufacturers and owners of "smart" devices to adapt to new realities, the attacker has a huge opportunity to commit attacks. Therefore, in the near future we can expect the emergence of new malicious programs for Internet of things.

The company "Doctor Web" continues to monitor the situation with the spread of Trojans, and other threats to "smart" devices and will inform our users about all interesting events in this area. Dr. Web successfully detects and removes named in the review of the malware. For example, it successfully makes remote scan-remotescan, which we did for the IoT.


RELATED MATERIALS: Defence and security
Возрастное ограничение