It has become the norm that when someone says "IoT botnet" most security aficionados think of DDoS attacks.

While most IoT botnets are, in fact, used for DDoS attacks, in recent months, quite a few IoT malware strains that are usually used to assemble these botnets have added other features besides DDoS functions.

The favorite among these is the ability to relay web traffic by installing a SOCKS proxy server on infected devices.

Linux.ProxyM works as proxy network made up of IoT devices

One such botnet is the one built using the Linux.ProxyM malware. Compared to its brethren, this botnet never had DDoS capabilities and was built on purpose right from the beginning to function as a giant mesh of proxy servers running on smart devices.

Linux.ProxyM appeared in February 2017, and by June 2017 it had reached a size of nearly 10,000 bots. While currently, the botnet's size has gone down to 4,500 - 5,000 devices, the botnet has gained a new feature.

According to security researchers from Russian antivirus maker Dr.Web, the company that first identified Linux.ProxyM, the botnet is now engaged in email spam campaigns.

Linux.ProxyM evolution

Researchers say that after infecting a device, Linux.ProxyM will connect to its command and control server and request further instructions.

This server responds by providing an SMTP server address, the login and password used to access it, a list of email addresses, and an email message template.

The malware assembles the email, connects to the remote SMTP server, and instructs the server to send the email to the list of email addresses it provided.

While spamming using remote SMTP servers can be done by the C&C server itself, using IoT devices allows the attacker to hide his true location.

Each IoT device capable of sending 400 messages/day

Dr.Web says that right now, Linux.ProxyM is behind a wave of adult-themed spam messages. Researchers say that a device infected with Linux.ProxyM sends on average about 400 emails per day. Multiplied by 4,500 bots, that's around 1.8 million messages per day.

The number is low, but this is most likely to avoid having SMTP servers added to spam blacklists. Originally, Linux.ProxyM was used to relay web traffic, a feature that it can still perform.

Compared to earlier versions of Linux.ProxyM that researchers saw in May and June, the malware also evolved, currently sporting two different build versions, and being able to target IoT devices running on various architectures, such as x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC.

Linux.ProxyM infects devices by taking over IoT equipment still running default credentials.