Skip to main content

What is Proone?

Proone is a Linux worm designed to target unconfigured IoT embedded devices with MMU (Memory Management Unit). This project represents a reengineered version of the Mirai botnet, developed with a serious approach to understanding modern IoT security vulnerabilities.
This software is malware. Read the Security Notice before proceeding.

Key Capabilities

Proone features several advanced capabilities that distinguish it from its predecessors:

Self-Contained Operation

Complete breaking and entering capabilities with autonomous replication across vulnerable devices

IPv6 Support

Full IPv6 readiness with discovery and connectivity for modern network environments

DNS over TLS CNC

Command and control using DNS over TLS for encrypted, difficult-to-analyze communications

Binary Recombination

Self-contained executable archive for multiple architectures enabling decentralized propagation

Architecture Overview

Proone consists of four main subsystems working organically to infect hosts and maintain control:

Core Subsystems

Provides backdoor and command-and-control (CNC) mechanism on infected devices. Maintains persistent communication and allows remote maintenance access.Key Features:
  • Point-to-point and broadcast framing protocol
  • Works over TCP/IP transport streams
  • Two-way certificate verification
  • ALPN protocol checking
Discovers vulnerable nodes on both the internet and link-local networks through active scanning.Key Features:
  • Fabricated SYN packet scanning
  • IPv4 and IPv6 network discovery
  • ICMPv6 probing for IPv6 hosts
  • Configurable target and blacklist networks
Break-and-Enter workers exploit vulnerabilities to gain access to target hosts.Key Features:
  • Credential dictionary brute force
  • M2M binary upgrade capability
  • Extensible vulnerability interface
  • Multiple concurrent worker instances
Custom DNS resolver designed specifically for Proone’s TXT record CNC mechanism.Key Features:
  • DNS over TLS (DoT) support
  • Promise-future query model
  • Hardcoded public name servers
  • Connection pooling and failover

Technical Highlights

Binary Archive System

Carries executables for multiple architectures (ARM, MIPS, x86, PowerPC, M68K, SH4) enabling self-propagation without external binary distribution servers.

Data Vault

Masked storage for sensitive data including credentials and CNC configuration, protected from memory dumps and string analysis.

Ephemeral Presence

Deletes executable on startup and uses only memory-backed filesystems (tmpfs/devtmpfs) to avoid leaving traces on non-volatile storage.

Resource Efficient

Uses cooperative multitasking (GNU Pth) to run on resource-constrained embedded devices with minimal CPU and memory footprint.

Documentation Structure

This documentation is organized into the following sections:

Getting Started

Installation, compilation, and initial configuration

Architecture

In-depth subsystem design and implementation details

Protocols

Heartbeat protocol, data formats, and communication specs

Tools & Utilities

Standalone tools, testing utilities, and maintenance clients
Proone is designed for security research and educational purposes. Always operate in controlled, isolated environments.

Project Goals

The original concept behind Proone (derived from “pruning”) was to understand how vulnerable IoT devices could be systematically identified and potentially removed from the internet. The project explores:
  • IoT Security Vulnerabilities: Neglected devices with unpatched software
  • Predictable Security Flaws: Default credentials and maintenance backdoors
  • Network Propagation: Self-replication techniques across heterogeneous architectures
  • Detection Evasion: Methods used by malware to avoid detection and analysis
This project was developed as an “art project” to understand security vulnerabilities. The author explicitly abandoned any operational deployment ideas before publication.

Dependencies

Proone relies on minimal, essential dependencies:
  • libssh2: SSH brute force vector implementation
  • Mbedtls: TLS connections for DNS and Heartbeat protocol
  • zlib: Binary archive compression
  • Pthsem: Cooperative multitasking/threading
  • libyaml: Configuration file parsing (hostinfod)
  • mariadb-connector-c: Database backend (hostinfod)
Copyright (c) 2019-2022 David Timber <[email protected]>

Read the Foreword

Learn about the project’s origins and the author’s perspective

Build docs developers (and LLMs) love

Get started for freeTalk to us