Grayhat botnets: The story so far

Malware botnets attacking Internet of Things devices are beginning to increase in prevalence, which is only to be expected given the lax attention to security from many vendors simply trying to rush devices to market. The need to pay attention to device security aside, an interesting trend has developed of the past year with two botnets that appear to be trying to remove insecure devices from the internet. We're calling these attackers 'grayhats' it seems, because although their intent is good (whitehat), the methods are definitely on the illegal side (blackhat). I'll list those here with some basic details, and update this post as more develops.


This attack is a bit of a brute force cure for insecure devices in that it specifically aims to brick them and take them out of action permanently. The self-proclaimed author, gong by the name 'janit0r' on Hackforums, made the following statement:

I consider my project a form of “Internet Chemotherapy” I sometimes jokingly think of myself as The Doctor. Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet was becoming seriously ill in Q3 and Q4/2016 and the moderate remedies were ineffective.
— janit0r

There have been a number of variants detected in the wild, coming from different source devices. Targets appear to be 'busybox'-based Linux devices with default telnet passwords set, including a number of IP camera and DVR models.

BricketBot takes out its victims by corrupting their internal storage, rendering them unable to boot, and thus falls into the category of PDoS (Permanent Denial of Service).

Further details can be found in the Radware analysis here:


This one is considerably more nuanced and advanced. It specifically shuts down ports commonly used by other malware to attack devices, specifically ports 23, 7547, 5555 and 5358, and makes itself at home. Presently it contains no other attach code, only propagation, but given the advanced modular nature of the attack and its ability to update and adapt on the fly to different targets, the question is what it may do down the road.

Kaspersky has an interesting write up of the attack approach here:

According to their post, Hajime is able to target any exposed device, but tailors its attack to specific makes based on their telnet welcome string. While some of these don't provide much by way of device models, we can see certain brands of modems and routers could be exposed. These include BCM, SMC, MikroTik, Star-Net and Arris.

What Next?

These attacks are currently relying on easily avoided blunders on behalf of either manufacturers or ISPs. Open telnet ports with default passwords are a very easily avoided attack vector, but we keep seeing these time and again in cheap devices.

These vigilante attacks appear to be well intentioned, or at least borne out of frustration with the current state of IoT security. Indeed, the consequences are far more widespread than just the users of the devices themselves. Malicious botnets have already been responsible for significant internet disruption through extensive DDoS attacks enabled by huge numbers of cheap, insecure devices. There are questions that arise from this kind of unilateral response though. How secure are these grayhat botnets? Can they be commandeered for malicious purposes? Can we really trust their owners to limit their attacks to 'cleansing' vulnerable devices?

The best defense consumers can employ still fairly basic:

  • Change the default device password
  • Disable telnet access to the device
  • Use a gateway (router or firewall) that blocks telnet from internet

Obviously access to the devices is not always readily available, and the security chops of given manufacturers can be difficult to discern. For now, we rely on best efforts, decent home firewalls, and hope for growing vendor attention to security.