- Статьи
- Society
- Dealing with technology: second-hand gadgets are increasingly being used for DDoS attacks
Dealing with technology: second-hand gadgets are increasingly being used for DDoS attacks
Laptops and smartphones purchased on the secondary market are increasingly becoming infected with malware, cybersecurity companies told Izvestia, citing monitoring of complaints on thematic resources. The suspicious activity of used gadgets suggests that the device may be part of a botnet, a network of devices hijacked by hackers that are involved in DDoS attacks. The corresponding software can be installed not only on computers and smartphones, but also on any smart devices — televisions, vacuum cleaners and even coffee makers. How not to buy infected equipment and what to do if a smart set-top box and a router become independent at night - in the Izvestia article.
Where the malware was found
Buyers of used equipment have become much more likely to complain that they find malicious software in purchased laptops and PCs. It automatically connects the device to a botnet (a network of hijacked computers controlled by hackers) and thus participates in DDoS attacks. Daniil Glushakov, an analyst at the Speakatel Cyber Threat monitoring center, told Izvestia about this, citing a study of thematic forums and communities on social networks.
This trend was confirmed by Anton Chemyakin, head of the analytical department at Servicepipe.
We cannot rule out a scenario in which the resale of infected devices is carried out intentionally as a way to build up a botnet network, says Vadim Soldatenkov, head of the Garda Anti—DDoS product group at Garda. In other words, an attacker purchases a batch of cheap devices, installs modified firmware with a malicious component on them, and puts it on the secondary market. The buyer receives an externally serviceable device, which starts working for the attacker from the first time it is turned on.
However, Kaspersky Lab cybersecurity expert Dmitry Kalinin said that their company had not encountered any schemes for buying a "clean" device in order to further change the software to malware and resell it.
Ashot Oganesyan, founder of DLBI, a data leak intelligence and monitoring service, also believes that "no one bothers with infection during repair or resale."
"Botnets bring hackers fractions of a penny per device and are profitable only if tens or hundreds of thousands of devices are captured," he said. — It happens that unscrupulous sellers put Trojans on phones and computers, which then go on sale, but these malware are aimed at stealing information from banking applications, not creating botnets.
According to him, "smart" devices of unknown brands are often connected to botnets, but this is done en masse — even at the factory or even during firmware development.
Anton Chemyakin also spoke about the fact that devices can be infected with malware even before sale, for example, at factories in China that produce budget Android gadgets.
— The factory orders the firmware from a third-party company, and it embeds the virus. Thus, some of the Android assemblies may actually become part of the botnet even before the packaging is opened," he explained.
When a customer opens the package and turns on a similar gadget, it immediately contacts the hackers' servers. Cheap smartphones of unknown brands are especially dangerous, according to the expert.
Cases where malware was pre-installed in completely new devices were also confirmed by Kaspersky Lab cybersecurity expert Dmitry Kalinin.
— For example, a backdoor (a hidden mechanism for unauthorized access to the system. Kimwolf was found in the firmware of some Android consoles. There are cases when an insecure configuration of the console's firmware has led to infection with Kimwolf and other similar backdoors," he said.
For example, in the spring of 2025, Kaspersky Lab specialists discovered a new version of the Triada backdoor, which was found in the firmware of counterfeit devices from popular online trading platforms, Kalinin said.
Where else can I install malware?
Not only laptops, smartphones and tablets can be part of the botnet, but also set-top boxes, smart coffee makers and any other devices with a Wi-Fi connection, Anton Chemyakin said.
Daniil Glushakov suggested that the current surge in forum posts may be due, firstly, to the fact that the level of cyber hygiene is growing and more and more people are using antiviruses.
—And secondly, the power of botnets is also growing, and they need more and more helpers to organize DDoS attacks," he explained.
He recalled that the Kimwolf botnet, which attacked companies around the world, had more than 1.8 million different infected Android devices, from tablets to smart photo frames.
Vadim Soldatenkov noted that Internet of Things devices can be infected first of all — routers, IP cameras (digital video camera), smart consoles, network storage.
— Such devices have historically been a weak link in cybersecurity, because manufacturers often do not pay enough attention to their protection. Also, most incidents occur on outdated devices for which the manufacturer has already stopped releasing security updates and patches," he said.
In the case of used equipment, the previous owner might not have updated the firmware for years, and he could have used weak passwords, Soldatenkov said.
Kirill Levkin, MD Audit Project manager (Softline Group), drew attention to the fact that botnet activity often does not affect the daily operation of the device, so the user may not be aware of the problem for a long time.
"The problem is compounded by the fact that buyers of used equipment rarely carry out a complete "hygienic" check of the device before starting operation," he said.
When buying a laptop with your own hands, you must immediately do a complete reinstallation of the operating system from the official image. When buying a used smartphone, you should reset to factory settings and then install applications only from official stores. You also need to check your device with an antivirus before connecting to your home network.
How to spot suspicious activity
Malware can be detected, for example, by opening active processes in the task manager, Daniil Glushakov said.
"If there's a process going on there that you don't know about and that you didn't start, it's quite possible that this is unwanted botnet activity," he said. — But it is possible to "detect" malware in this way only at moments of activity. In addition, it usually stops working when the Task Manager is started.
Therefore, for an inexperienced user, the best option is to check the computer with an antivirus or utilities that detect such suspicious processes on their own.
— If unwanted activity is detected on the device, you need to disconnect the laptop, computer or tablet from the network, make a copy of the necessary data, format the hard disk, flash the BIOS (basic input/output system. — Ed.), reinstall the operating system, — he said.
But an infected device can also become an entry point to the entire home network. Hackers use it to scan other gadgets in the house, looking for vulnerabilities in the router, smart speakers, and cameras.
Therefore, if suspicious activity is detected on one device, all others should be checked, experts say.
Vadim Soldatenkov advised to pay attention to the abnormal behavior of the device.
— This can manifest itself in a noticeable slowdown, unexplained heating of the case, increased power consumption, as well as an increase in network traffic that the device generates for no apparent reason. For example, if a router or a smart set-top box starts actively exchanging data at night when no one is using them, this is a serious reason to be wary," he said.
If a device sends a large number of requests to unfamiliar external IP addresses, this is highly likely to indicate participation in a botnet.
Ashot Oganesyan also recommended installing an antivirus on your phone or computer.
— The device's operation in a botnet can only be seen by analyzing network activity, for example on a router: if an Internet coffee maker generates gigabytes of traffic, then something is definitely wrong with it. And in general, noname electronics should not be connected to the Internet," he said.
Kirill Levkin said that it is necessary to check the autorun list, active network connections and the presence of suspicious services on PCs and smartphones. Logs and external traffic need to be analyzed on network devices.
Переведено сервисом «Яндекс Переводчик»
