Imeij targets devices running Linux OS and specifically exploits a vulnerability present in AVTech video surveillance equipment.
Linux.Proxy.10, or Proxy, is a Trojan that targets Linux devices. It was first identified in late 2016 and by the end of January 2017, thousands of devices had been infected. Attackers use other Trojans to initially compromise the device and create a new user “mother” with the password “f***er.” They then login to the infected device via Secure Shell (SSH) and download the Proxy Trojan.
MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.
Discovered in late 2014, SoakSoak is a Russian-based malware variant designed to scan for vulnerabilities within WordPress-powered websites and exploits them in order to turn its targets into a malware-distribution botnet.
The Mirai Botnet is named after the Mirai Trojan, the malware that was used in its creation. Mirai was discovered by MalwareMustDie!, a white-hat security research group, in August 2016. After obtaining samples of the Mirai Trojan, they determined that it had evolved from a previously-created Trojan, known as Gafgyt, Lizkebab, Bashlite, Bash0day, Bashdoor, and Torlus.
First detected in August 2016 by researchers at ESET, Rakos is a strain of malware that targets and infects Linux servers and Linux-based IoT devices. Rakos operates by performing brute-force attacks against Secure Shell (SSH) logins of targeted devices and adding them to its botnet to perform additional attacks.
Reported in December 2016 by New York-based digital advertising security company, White Ops, Methbot is a botnet that has been labeled the largest and most profitable fraud operation impacting digital advertising to date.
Discovered in 2007, Cutwail malware targets Windows OS and is distributed via the Pushdo Trojan, which spreads through malicious emails. Cutwail’s primary function is to turn infected systems into a spambot.
Discovered as a worm in 2014, TheMoon was observed by a researcher at the SANS Internet Storm Center spreading itself to a large number of Linksys router models. Delivered in the form of a 2 MB ELF MIPS binary, it connects to port 8080 and then, after determining the versions of hardware and firmware, it sends an exploit to a vulnerable CGI script running on the targeted router.
Bashlite, also known as Lizkebab, Torlus, and Gafgyt, was discovered in September 2014 after the ShellShock vulnerability found in the Bash command shell was publicized. The Bash command shell is commonly used by Linux and, since many IoT devices operate on Linux, botnet developers quickly took advantage of this widely publicized vulnerability.
In January 2012, security researchers at ATMA.ES reported witnessing a large number of Telnet attacks originating from home internet routers, internet-connected televisions, cable set-top boxes, DVRs, VoIP devices, IP cameras, and media centers. They determined that these attacks stemmed from a botnet.
Discovered in October 2016 by MalwareMustDie!, a white-hat security research group, Linux/IRCTelnet is an Internet Relay Chat (IRC) botnet that was created using ELF (Executable and Linkable Format) binaries, a common file format for Linux and UNIX-based systems. This format is used in the firmware of many IoT devices including routers, DVRs, and IP cameras.
On October 16, 2016, Rapidity Networks security research group published their analysis of Hajime, a worm currently targeting IoT devices such as routers, DVRs, and CCTV systems. The group claims to have discovered Hajime prior to the release of the Mirai Botnet source code and, because of that, Hajime is unlikely to contain any actual Mirai source code.