Botnet Research 

A consolidation of my botnet research with linked articles can be found below :

 

 1. Discovered the first instance of weaponization of Hadoop Yarn bug in botnet

Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

https://blog.radware.com/security/2018/10/new-demonbot-discovered/ 

 

  2. Malware Author Building "Death" Botnet Using Old AVTech Flaw

Ankit Anubhav, a security researcher at NewSky Security and the one who spotted this botnet, told Bleeping Computer today that EliteLands is adding new users to AVTech devices, but using shell commands as the passwords for these accounts.

https://www.bleepingcomputer.com/news/security/malware-author-building-death-botnet-using-old-avtech-flaw/ 

  3. New Hakai IoT botnet takes aim at D-Link, Huawei, and Realtek routers

That initial version of Hakai was based on Qbot (also known as Gafgyt, Bashlite, Lizkebab, Torlus or LizardStresser), an IoT malware strain that leaked online several years back. This first version of the botnet was unsophisticated and rarely active, Ankit Anubhav, a security researcher for NewSky Security, told ZDNet today.

https://www.zdnet.com/article/new-hakai-iot-botnet-takes-aim-at-d-link-huawei-and-realtek-routers/

  4.  DoubleDoor IoT Botnet Abuses Two Vulnerabilities to Circumvent Firewalls, Modems
 

NewSky’s Ankit Anubhav explains, "DoubleDoor botnet takes care of this, by using a randomized string in every attack (as shown in the image below). Lack of any standard string will make sure it is not very easy to classify the recon activity as malicious. The strings have one thing in common though, they are always 8 in length."

https://www.tripwire.com/state-of-security/latest-security-news/doubledoor-iot-botnet-abuses-two-vulnerabilities-to-circumvent-firewalls-modems/

  5. 18000 routers taken hostage in less than a day

IAnkit Anubhav : "IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in Satori"

 

 https://blog.avira.com/18000-routers-taken-hostage-in-less-than-a-day/ 

6. Masuta : Satori Creators’ Second Botnet Weaponizes A New Router Exploit.

Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project. A third SOAP exploit, TR-069 bug has also been observed previously in IoT botnets. This makes EDB 38722 the fourth SOAP related exploit which is discovered in the wild by IoT botnets.

 

https://blog.newskysecurity.com/masuta-satori-creators-second-botnet-weaponizes-a-new-router-exploit-2ddc51cc52a7

7. Agile QBot Variant Adds NbotLoader Netgear Bug in Its New Update

 

One interesting module in Qbot is its Botkiller functionality. Through the coder’s logic, QBot doesn’t like other botnets running and its Botkiller terminates “BusyBox” if another bot trace is found. The list in the leaked QBot source code contained 36 names. However, in the this sample we see that the list has increased more than five times, and 215 indicators of other botnets are added.

 

 https://blog.newskysecurity.com/agile-122bf2f4e2f3 

8. Chinese websites have been under attack for a week via a new PHP framework bug

 

"The Powershell one is bizarre," Ankit Anubhav, Principal Security Researcher for NewSky Security told ZDNet. "They actually have some code that checks for OS type and runs different exploit code for Linux, but they also run Powershell just to try their luck.

 

https://www.zdnet.com/article/chinese-websites-have-been-under-attack-for-a-week-via-a-new-php-framework-bug/

9. Huawei router exploit involved in Satori and Brickerbot given away for free on Christmas by Blackhat Santa

NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.

https://blog.newskysecurity.com/huawei-router-exploit-involved-in-satori-and-brickerbot-given-away-for-free-on-christmas-by-ac52fe5e4516

10. A bug in Mirai code allows crashing C2 servers

 

Ankit Anubhav, Principal Researcher at NewSky, explained how to exploit a trivial bug in the code of the Mirai bot, which is present in many of its variants, to crash it.The expert pointed out that a Mirai C2 server crashes when someone connects it using as username a sequence of 1025+ “a” characters.

https://securityaffairs.co/wordpress/85040/malware/mirai-servers-hack.html