Last year there was an attack on Dyn, an internet infrastructure company, that caused widespread blackouts in company websites and internet access. The botnet found responsible is an open code malware named Mirai that had approximately 100,000 devices flood Dyn’s servers. The DDos attack was the largest to date in internet history.

While Dyn neutralized the attack, and has taken steps to avoid it in the future, Mirai’s open source coding is cause for concern. Namely, attacks are still occurring based on Mirai’s coding.

A new botnet was discovered in September that also appears to be based on Mirai’s code, with some significant upgrades in sophistication. So what is a botnet, and what does your business need to do to protect itself?

Botnets and malware

In simple terms, botnets are an army of IoT devices. Malicious coding has infected many devices, and an individual controls the devices remotely.

A combination of the words robot and network, botnet devices are infected by a virus called malware. Since an individual cannot access every device they are infecting, they use botnet devices to further spread the malware as well as roll out any malicious activity. Any unsecure IoT device that encounters the internet can be infected by malware.

The most frequently used form in botnets is Command-and-Control (C2) where a single server is responsible for sending out commands and malware. However, in Peer-to-Peer (P2P) devices connect to other infected devices in web style rather than referring to a single server.

Each device is capable of infecting, cataloging, and updating every device it meets.

Most businesses are not aware they have been infected, as the malware attacks devices that do not have frequent user interfaces. In the case of Mirai, routers and cameras were the preferred device.


The main aspect of Mirai’s coding is the malware attacks devices that have not been reset from their default password and user settings. Once in the device, the malware lurks without decreasing performance or making itself known. These devices are designed to plug in and go, so unless there is performance concerns they are rarely looked at by IT departments.

Once part of a botnet, the malware waits for instruction. In the case of Mirai, creating Distributed Denial-of-Service (DDoS) attacks. The attack design is to flood servers with firehose amounts of information that take up server bandwidth. Legitimate systems are rejected and begin their retry protocol, further flooding and diminishing the bandwidth until internet blackouts occur.

In the case of Dyn, companies worldwide lost access to the internet as their websites and servers were locked in retry protocol and Dyn’s server crashed.

Mirai has been most damaging due to open source coding, though. Open source means Mirai’s architecture is available to anyone who wants it.  The coding is flexible to any changes desired. In essence, a hacker can pick up the code and make a few tweaks, creating their own botnet system.


Check Point discovered a new botnet system in September. The coding is similar Mirai, but IoTroop has some significant sophistications.

Each infected device scans other devices it meets, sending vulnerability and IP addresses back to the control center. Where Mirai exploited devices that still had default password and user settings, IoTroop appears capable of exploiting a dozen different vulnerabilities in each device.

Also, IoTroop appears to be using multiple command servers.

As of last week, IoTroop has infected over one million devices with attacks on IP addresses increasing significantly in the last two weeks. Check Point estimates approximately 60% of businesses are already infected by the malware.

Internet maelstrom

Unfortunately, the intent of IoTroop botnet is unknown. Botnets can be used for multiple purposes, from stealing information to spamming. Since Mirai was used to orchestrate a large DDoS attack, attention is focused in that direction.

A business should not sit idly when warning has been given. There are ways to check for malware on routers and security cameras. And as you would with PCs and smart phones, anti-malware and security software should be installed on both to ensure protection. After all, it does not look like IoTroop is going to stop anytime soon.

For a full list of manufactures impacted by IoTroop, click here.