Blame infected Windows PCs, not smart fridge, for spam-spewing botnet attack

Proofpoint claimed to have “uncovered what may be the first proven Internet of Things (IoT)-based cyberattack involving conventional household ‘smart’ appliances. The global attack campaign involved more than 750,000 malicious email communications coming from more than 100,000 everyday consumer gadgets such as home-networking routers, connected multi-media centers, televisions and at least one refrigerator that had been compromised and used as a platform to launch attacks.”

The attack that Proofpoint observed and profiled occurred between December 23, 2013 and January 6, 2014, and featured waves of malicious email, typically sent in bursts of 100,000, three times per day, targeting Enterprises and individuals worldwide. More than 25 percent of the volume was sent by things that were not conventional laptops, desktop computers or mobile devices; instead, the emails were sent by everyday consumer gadgets such as compromised home-networking routers, connected multi-media centers, televisions and at least one refrigerator. 

Although Proofpoint followed up with two additional articles about “Your fridge is full of spam,” Symantec said your fridge is innocent of this spam campaign. Instead, blame the spam-sending botnet on Windows.  

In “Despite the news, your refrigerator is not yet sending spam,” Symantec said it “traced the spam to multiple Windows computers, some of which were verified to be infected with W32.Waledac (Kelihos). We have not seen this spam originate from any non-Windows computer systems and do not see any unaccounted volume of spam that may originate from other sources.”

The spam campaign was allegedly misidentified because “many home devices sit behind a home router and use Network Address Translation (NAT). From the view point of an outsider, all the devices behind that router share the same IP address. This makes it difficult to determine whether a device behind the router or the router itself was the original source of the network traffic. Furthermore, if you probe the router for open ports the router may employ port forwarding, exposing one or more devices behind the router.” According to Symantec, “You could be fooled into not even realizing a router is there and think that the exposed device is the sole device using that IP address.”

In this particular case, you have computers infected with malware sitting behind a home router along with a variety of other home devices, like an entertainment system or even a refrigerator.

Symantec's illustration of misidentified botnet, smart frig not sending out spam

When the infected computer receives a new spam template from the bot controller, the spam will travel through the router and appear from a particular IP address. If you probe that IP address, instead of reaching the infected computer you will reach the router.

In addition, if your refrigerator uses a feature known as port forwarding and someone contacts the IP address on port 80, that traffic is allowed to reach your smart refrigerator. Viewed from outside, all you will see is the refrigerator and you may not even realize there is a router with potentially many other devices behind it, such as an infected computer. This misunderstanding was what led to reports of refrigerators sending spam. The truth is that those refrigerators just happened to be on the same network as an infected computer. 

One of the biggest issues regarding smart devices is the lack of security. Smart device makers either don’t realize the need to protect the devices, or try to bolt on security at the end. As we’ve seen again and again, tacking security on as if it were an afterthought doesn’t work very well. Yet that doesn’t stop the flood of IoT devices that can be controlled via a smartphone. For example, at CES 2014, there were Internet-connected toothbrushes, toilets, socks, sport bras, light bulbs, ovens with built-in Android tablets, crockpots, and more.

“Antivirus software helped PCs, but you can’t simply install a software suite developed for your desktop on a smart toaster,” pointed out Technology Review. “Even if something like a smart stereo or coffee maker has been hacked into, it can be trickier to tell than with a laptop or a smartphone. These devices often have no visual display, and if they’re participating in an attack similar to the one Proofpoint observed, they might not show any signs of trouble.”

So although smart TVs, appliances, or other IoT devices making up Proofpoint’s thingbots “weren’t to blame this time,” Symantec expects “they probably will be to blame in the future.” In fact, Symantec "uncovered one of the first and most interesting IoT threats, Linux.Darlloz, which infects Linux-based IoT devices such as routers, cameras, and entertainment systems....So don’t be surprised if, in the near future, your refrigerator actually does start sending spam."

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.