A Bevy of Botnets

Trickbot & Mirai & VPNFilter
Botnets do more than put things out of kilter
Ransomware, miners & banking crime rings
These are a few of my favourite things

Ah botnets – they scare and fascinate me, like a really good horror movie.  And given the horror show that IoT has become, that is rather apropos.  At the beginning of January I became fascinated with what we have all seen develop into The Year of the Botnet.  That fascination led to research which led to talks and now to this blog post.  Because there are just so many good stories here to tell.

Something wicked this way comes …

Imagine a zombie apocalypse … of crockpots? Welcome to the connected hell of IoT, where “set it and forget it” really is a best practice. Default passwords are de rigeur. And embedded system vulnerabilities are everywhere. Have we even factored in the tsunami of unsecured connected devices being acquired by the developing world?
Botnets have moved beyond the realm of script kiddies playing the Grinch at Christmas with Playstations & X Boxes. We need to look at these as more than an attack of annoyance or inconvenience. They have become one more weapon in a digital arsenal for the games nationstates play, no referee, no playbook.

biggest ddos recorded

At the beginning of January, we saw a flurry of activity as Mirai variants got busy out there. More importantly, 2018 is to coinminers what 2016 was to ransomware. And coinminers go together with bots like peanut butter goes with jelly.

My hit list of the biggest and baddest:

Smominru: Holy carp but this one was a giant mining rig that opened the floodgates in January and caught my attention by the sheer size. This is one of the biggest, most successful cryptojacking botnets currently active.  It netted $2.3 billions by leveraging EternalBlue to find and enslave more devices. Superpower: evades sinkholes.

Necurs: The hits just keep on coming. The largest spam botnet in the world discovered ransomware just in time for Thanksgiving last year. Necurs is known for delivering some of the nastiest stuff out there. And serves as a pointed reminder that threats don’t disappear forever.

Mirai and its spawn: Mirai was a watershed moment, bringing the east coast to its knees with an unprecedented prolonged outage. That source code was released, and has been manipulated like playdough in the hands of attackers. The past six months have brought about significant evolutions in what the botnets target and what the botnets can do. Progeny include Satori, Matsuta, Okiru.

Satori: This is an attack bot, hijacks cryptocurrency miners, steals funds, launches SSoS attacks. It survived a takedown attempt in December. Then it went after those tasty GPON routers. Port 8000 sure was busy in June. Lots of port scanning for devices with that open via their WAN interface in response to the XionMai PoC , a buffer overflow vuln CVE-2018-10088. That’s a lightweight web server package often embedded in the firmware of some Chinese routers and IoT equipment. Then the botnet authors added support for a second exploit. (See  Bleeping Computer June 15) This had a PoC also online for D-Link DSL-2750B routers, exploitable via ports 80 and 8080.

I’ll spend a little more time on Satori because it showcases how the release of the Mirai code has pushed the evolution of botnets.  Satori selectively scans for vulnerable IoT devices, and exploits – no surprises here, Huawei. And … the code for Satori was posted on Pastebin for free.


Hide n Seek: Persistence pays off. Here’s the pivot we’ve been waiting for. This is the first time a botnet has achieved persistence, and I don’t have to tell you that’s a bad thing. There are a few other interesting enhancements that indicate attackers are looking beyond what we see bots currently used for: a custom built peer-to-peer communications set up; multiple anti-tampering techniques so that nobody can interfere; leveraging exploits.  This bot has had three updates, increasing its capabilities significantly each time. It moved from basic IoT cameras to a host of other IoT connected devices and a range of architectures. Now, it can go after Android devices. For a botnet whose sole purpose thus far has been to go forth and grow, they just seriously upped their game.

VPNFILTER:  Who didn’t get the notification from the FBI about turning off their SoHo routers to flush this malware.  This hit around June, with all the bells and whistles than come with a Nationstate backed investment. TLS – ha! bypassed that security. Man in the middle attacks on incoming web traffic. What had security folks doing a double take was that this malware wasn’t about just co-opting these devices for a routing attack but to actually pwn the device completely and take ALL the data going through it – yes, attention online shoppers. According to the Talos team, the attacks were extremely targeted, pinpointing credentials. This went after ALL the routers, 500,000 in 54 countries, gobbling up those vulnerabilities. It hasn’t gone away, it’s just gotten better at what it does and added even more routers to its growing collection. And yes, it most definitely has persistence.

PROWLI:  This infected 40,000 web servers, modems and IoT devices in what is described as a “diverse operation” that leverages known vulnerabilities and brute force attacks for credentials. Targets of choice included Drupal, WordPress and Joomla sites, hitting exposed SMB ports.  The malware spread via the R2R2 worm to load a Monero miner, and infected the CMS platforms with a backdoor.

Mylobot:  Evasion. Infection. Propogation. There’s a whole lot of upscale tricks this new malware came loaded with. AntiVM, ant-sandboxing, anti-debugging, process hollowing, code injection. This botnet is multipurpose, ready to be loaded with keyloggers and trojans, or cause a DDoS. Superpower: seek and destroy other malware.

Anarchy:  Rome wasn’t built in a day but Anarchy botnet sure was. 18,000 devices were tracked when security researchers saw a serious uptick in scanning Huawei devices on July 18. Yeah, no problems with those. They were looking for CVE-2017-17215, which is a critical flaw that can be exploited through port 37215. Attackers can send packets of maliciousness in attacks and remotely execute code to enslave and control these zombies. A hacker called Anarchy has declared this their creation per security researcher Ankit Anubhav on twitter. This vulnerability was leaked in Dec 2017 and used in the Satori botnet. The code to compromise the Huawei routers was made public in January and used in both the Satori and Brickerbot botnets, as well as spawn of Mirai botnets.

And I think I saved the best for last …

Torii: New on the scene, this one joins the hall of infamy as only the 3rd botnet to achieve persistence, Torii does not appear intended for the mundane purposes of DDoS or cryptomining.  It uses no less than 6 techniques for persistence, and is designed for a dizzying array of CPU architectures. Torii has a modular design so that it can be multipurpose, designed to do the dirty work under layers of encrypted communications. Nobody knows what its actual purpose is or who made it, but thoughts are this could be the backdoor to something even bigger. Time will tell …

BYOD and IoT  
We all know about Shadow IT. And the joys of trying to manage BYOD. Everyone brings their own stuff in. Or uses their own stuff remotely. The intermingling of unregulated tech and sensitive data is terrifying but real. SOHO routers are heart of botnets, enslaving attached devices. What does this look like if it goes beyond routers and webcams flooding access?

Bad bad bad bad things …

What aren’t we taking into consideration that attackers could leverage next? I have a few theories for you about ICS and sensors working overtime.


Most botnets have tasks to fulfil. Which means they need to call home, and that reveals the C+C servers so that you can eventually track them down. So here’s the next pivot: what if they don’t have to call home? What if they have one job: to go forth, infect and grow. We’re talking about a wormable botnet, self-propogating, that leverages some of the best available exploits out there, like EternalBlue. With no human required. Up to now, botnets have mostly been monetized for DDoS and sold on the darknet, unless they being used to amuse skiddies. The exception was Mirai, which was used as retribution in targeted attacks against Brian Krebs, and a major provider in France. DDoS became a weapon, not just an outage.

The fact is that attacks evolve. Where could attackers go with this? What if attackers level up to nationstates? The devices that make up an army don’t need to be sophisticated. In this game it’s about quantity, not quality.

How much damage can they do? Weaponized botnets are no mere annoyance. Their capacity to create extensive outages or deliver malicious and damaging payloads is far beyond inconvenience.

What do you get when you combine unpatched vulnerabilities, existing nation-state exploits, millions of enslaveable, inherently insecure devices and self-propogating malware? What if you could use time delay, to evade notice and make less noise? Leverage multiple attack methods, based on operating system? Establish persistence? Oh – and it’s all automated.





























Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s