Much like viruses can jump across species, say from birds to humans, malware can jump from initial platforms to new ones to spread infection. This is what has recently happened with InterPlanetary Storm (IPStorm), which was originally seen in the wild on Windows last year, and which now has been observed on Android, Mac, and Linux. Just what is IPStorm and why is it dangerous? This blog post dives into what happened recently and what companies can do to protect against new and evolving botnets and bot attacks.

What Is IPStorm and Why Should You Care?

IPStorm is a botnet that was originally detected last year by cybersecurity firm Anomali, which observed it targeting Windows systems. According to an article by ZDNet, the malware uses the peer-to-peer (P2P) InterPlanetary File System to communicate with infected systems. Unfortunately, this P2P approach gives it more resilience against takedown than centralized, command-and-control botnets. IPStorm was written in Go programming language (“Golang”), which operates in memory and leaves no trace on disk. These two characteristics make it both distinct from other malware and more difficult to deal with. IPStorm allows attackers to execute any number of PowerShell commands on the infected device.

While P2P botnets are still relatively rare, they are increasing in number and scale. For example, Dark Reading recently reported on FritzFrog, which researchers at Guardicore Labs have seen targeting SSH servers since the beginning of this year. In April, Threatpost wrote about DDG, which is considered to be the first P2P cryptomining botnet.

Now, cybersecurity firms Bitdefender and Barracuda have observed IPStorm spreading to other platforms via different methods.

On its BitDefender Labs site, the company notes that “Bitdefender researchers found a new campaign in which threat actors seem to be using the same bruteforcing technique observed with IRCflu to compromise SSH servers and drop the InterPlanetary Storm bot….Unlike the previously known samples, these new variants seem to target multiple Android and Linux architectures, such as Darwin…”
Right now the IPStorm botnet looks like it’s taken over 13,500 machines in 84 countries, according to CSO Online.

What’s the Motivation Behind IPStorm?

What could be the motivation for IPStorm? Here’s what Kasada’s founder, Sam Crowther, had to say on Enterprise Security Tech: “IPStorm has many similarities to Mirai – as it’s a new, nasty botnet that will likely be available for hire. Mirai was originally used for DDoS, but is now used for more sophisticated attacks like credential abuse or carding. We see a similar path for IPStorm – it can easily be extended beyond DDoS attacks and go towards where the money is – to commit fraudulent activities at-scale, through automated attacks. Like Mirai, this will be a difficult botnet to contend with as the IP addresses are legitimate.”

Crowther raises an important point, because many solutions rely on circumstantial evidence from the past to inform rules that detect bot attacks. But because bot operators constantly revise their methods to evade detection, these rule-based solutions are always a step behind. For example, relying on blacklisting rules doesn’t work when a bot attack is coming from a known good address. And depending on an analysis of known behaviors is useless when the behavior is new.

So how can you distinguish between human, good bot, and bad bot traffic — and keep bot attacks from reaching your properties in the first place?

So, What Can You Do About New and Evolving Bot Attacks?

As Crowther explains on Enterprise Security Tech, “It’s easy to see that a different approach is needed to stop these attacks; one that doesn’t require knowledge of known bad IP addresses and rules based on prior attacks. If you apply a zero-trust philosophy to traffic you can better distinguish between bots and humans – even for new attacks that haven’t been seen before. Another aspect of preventing these attacks that’s not often discussed is to wreck the economics of the attack altogether, making the attack financially unviable for cybercriminals.”

Let’s break that down a little bit:

  • Zero-Trust Philosophy – All traffic is assumed guilty until proven innocent; essentially not letting any traffic in until it can prove it’s not a bad bot. This should be done from the very first web, mobile or API request so the bot attack never has the chance to do its dirty work.
  • Economic Damage – While it’s still not 100% clear what IPStorm is up to (although Intezer has found that the Steam gaming service is a target), what is clear is that many bot attacks have a financial incentive. But serving bad bots an increasingly difficult cryptographic challenge slows down and collapses the economics of an automated attack.

One thing is certain: bot attacks will continue so long as they are allowed to flourish unimpeded. They will evolve and spread just like viruses. What’s needed now is a vaccine in the form of an effective bot management solution. But what else makes such a solution superiorly effective and simple to use?

We’ve put together a white paper on the top 10 capabilities to look for in a bot management solution. Read “A Bot Management Checklist: 10 Must-Have Capabilities for Stopping Malicious Automation” to learn what other providers aren’t telling you and how Kasada can help you defend your web, mobile, and API channels against bot attacks.

Would you like to see for yourself how Kasada stops bot attacks in their tracks? Request a demo today.