Botnets



Known BOTNETS

The below list is not exhaustive and is meant to provide an overview of the most prevalent botnets impacting US victims. This page is updated regularly with new information.


What is a Botnet?

A botnet is a group of internet-connected computers and devices that have been infected by malware that allows a malicious actor to control them remotely. The malicious actor then uses the botnet for nefarious purposes such as sending spam email, stealing data, spreading additional malware infections to other devices, generating illicit advertising revenue through click-fraud, mining cryptocurrencies, or conducting distributed denial-of-service (DDoS) attacks. In the cases where botnets are used to conduct DDoS attacks, these infected devices are used to generate an excessive amount of network traffic designed to overwhelm a website, server, or online service to the point that legitimate users cannot access it. The use of a botnet in any of these illicit activities can make attribution difficult. Some botnet-creators may sell or rent their botnets to others who want to conduct attacks but who don’t have the time, skill, or motivation to create one themselves.

 
 


How is a Botnet Created?

Any internet-connected device that has latent hardware or software vulnerabilities can be ripe for hijacking by a malicious actor seeking to create a botnet. In order to do so, the malicious actor begins looking for specific devices that possess an easily exploitable vulnerability. He can find these devices by using a search engine specifically designed to expose their existence and location. The information that these search engines can reveal include the make and model of a device, as well as the location, IP address, the operating system, open ports, running services, and much more.

Once the malicious actor locates a device he wants to exploit and compromise, he uses a port scanner to determine what ports are listening, what services are running, and what operating system is being used. As soon as the malicious actor gathers enough information about the device and how it’s connected, he uses that information to his advantage and utilizes his skills and tools to gain unauthorized access. He may use default login credentials to access the administration panel of the device or he may attempt to brute-force the login screen. He may discover that the device is not password-protected or that the particular vulnerability he’s looking to exploit has been hardcoded into the device by the manufacturer.

After the malicious actor has gained access to the device, he installs malware onto it, either by delivering and launching an executable file or by replacing the firmware with a modified version. This malware is designed to allow him remote access of the device or it tells the device to establish contact with a command-and-control (C2) server and wait for additional commands. It can also act as a worm, establishing peer-to-peer (P2P) connections with additional vulnerable devices and spreading the infection automatically, saving the malicious actor the time and trouble of compromising each device individually.

Once the botnet has been created, the malicious actor decides how he will use it and issues commands to the zombie devices through the C2 server, which is either an Internet Relay Chat (IRC) channel or a dedicated server.


Devices at Risk of Botnet Compromise

The following is a list of devices previously leveraged by, or susceptible to compromise by, botnets. This is not an exhaustive list and will be updated as more information becomes available.

  • Routers produced by U.S.-based firm, Linksys
    • February 2014: Linksys E-Series routers were exploited by TheMoon botnet. (SANS Institute)
    • Linksys published a guide on how to prevent consumers’ routers from becoming infected with TheMoon. (Linksys)
       
  • Routers produced by Taiwan-based firm, ASUS
    • February 2014: Hackers expose ASUS router weakness by leaving a note on victims’ systems. (Ars Technica)
    • February 2014: A list of IP addresses of vulnerable ASUS routers was posted anonymously on Pastebin. (Pastebin)
    • February 2014: ASUS released firmware updates. (Softpedia)
    • February 2014: ASUS released additional firmware updates. (Softpedia)
    • January 2015: An exploit allows ASUS routers to be hacked from the local network. ASUS released firmware updates in response. (Security for Real People)
       
  • NAS devices produced by Taiwan-based firm, QNAP Systems, Inc.
    • December 2014: Attackers exploit the widely-publicized Shellshock, or Bash, vulnerability in QNAP network attached storage devices, using them to create a click-fraud botnet. QNAP released a patch to address the vulnerability. (SecurityWeek)
       
  • NetUSB firmware produced by Taiwan-based software comany, KCodes
    • May 2015: SEC Consult Vulnerability Lab released an advisory on the Kernel Stack Buffer Overflow vulnerability present in KCodes NetUSB firmware. (SEC Consult)
    • May 2015: KCodes NetUSB: How a Small Taiwanese Software Company Can Impact the Security of Millions of Devices Worldwide. (SEC Consult)
       
  • IP Cameras produced by China-based firm, Foscam
    • November 2015: A consumer posted a complaint on the Foscam technical support message board that he witnessed his Foscam F8921p model IP camera attempting to call out to more than a dozen online hosts in various countries, despite disabling associated P2P settings and isolating the device on his network. (Foscam)
    • February 2016: Brian Krebs provides an in-depth look into the Foscam IP camera issue. (KrebsOnSecurity)
       
  • CCTV-DVR systems running Cross Web Server, software from China-based firm, TVT
    • March 2016: Vulnerability reported by an RSA security researcher, along with a list of vendors that sell/rebrand this hardware (KernerOnSec.com)
       
  • LTE Routers produced by Taiwan-based firm, Quanta Computer, Inc.
    • April 2016: A security researcher found that routers produced by Quanta had a number of critical vulnerabilities, including a hardcoded SSH server key and PIN, built-in backdoors, and weak password requirements. Quanta decided not to patch the vulnerabilities. (ThreatPost)
       
  • Routers produced by U.S.-based firm, Ubiquiti Networks
    • May 2016: A worm was discovered exploiting vulnerabilities in Ubiquiti Network routers running outdated firmware, using default login credentials to gain access, and self-propagating to other vulnerable devices. Ubiquiti Networks released a patch and a newer version of the software. (Symantec)
       
  • Routers produced by China-based firm, Huawei
    • September 2016: Securi discovered a botnet leveraging over 6,000 compromised Huawei routers. Huawei has recently released a number of security advisories addressing this issue. (Sucuri)
       
  • IP Cameras, DVRs, and NVRs produced by China-based firm, Dahua Technology
    • October 2016: Dahua Technology responds to allegations of its products’ vulnerabilities and directs users to its cybersecurity best practices guide here. The company also advises consumers to only purchase its products from its list of authorized distributors here and offers product replacement discounts for pre-January 2015 product models. (CEPro)
       
  • AirLink Cellular Gateway produced by Canada-based firm, Sierra Wireless
    • October 2016: Sierra Wireless discovers their AirLink gateways are being exploited by the Mirai Botnet and warns customers to change the default login credentials on the devices. Models LS300, GX400, GX/ES440, GX/ES450, and RV50 are particularly vulnerable. Sierra Wireless released a technical bulletin that includes recommended actions for consumers. ICS-CERT also released an alert for this vulnerability. (ZDNet)
       
  • IP Cameras, DVRs, and NVRs running Netsurveillance and CMS, software developed by China-based firm, XiongMai Technologies
    • October 2016: Vulnerabilities were published in a Technical Advisory by Flashpoint. (Flashpoint)
    • October 2016: XiongMai Technologies announced a recall of up to 10,000 of its IP cameras after they had been identified as having been used in the DDoS attack against Dyn’S DNS servers on October 21, 2016. (Reuters)
       
  • IP Cameras, NVRs, DVRs produced by Taiwan-based firm, AVTech
    • October 2016: Hungarian security firm discloses vulnerabilities. (Search-Lab)
       
  • D-Link Router Models DIR-8XX produced by US-based firm, D-Link Systems, Inc.
    • November 2016: CERT publishes Vulnerability Note VU#677427. (CERT)
    • November 2016: D-Link Systems, Inc. releases firmware updates. (D-LINK)
       
  • Siemens IP CCTV Cameras produced by US-based firm, Vanderbilt Industries
    • November 2016: ICS-CERT releases Advisory ICSA-16-322-01. (ICS-CERT)
    • November 2016: Vanderbilt Industries/Siemens releases advisory and firmware updates. (Siemens)
       
  • Wireless Routers produced by China-based firm, TP-Link
    • October 2013: German security researcher, Jakob Lell, reports how a real-world CSRF attack hijacks the DNS server configuration of TP-Link routers. (Jakob Lell’s Blog)
    • March 2014: Threat intelligence firm, Team Cymru, published a report on the growing exploitation of small office routers and provided an analysis of TP-Link Wi-Fi routers being actively exploited in the wild. (Team Cymru)
    • March 2014: TP-Link released firmware updates for some of the affected models to address the issue. (TP-Link Download Center)
    • November 2016: TP-Link TDDP Buffer Overflow/Missing Authentication Advisory is released. (Packet Storm Security)
       
  • SICAM PAS produced by German-based firm, Siemens
    • December 2016: ICS-CERT releases Advisory ICSA-16-336-01. (ICS-CERT)
       
  • DSL Modems produced by German-based firm, Deutsche Telekom
    • November 2016: SANS publishes advisory on the port 7547 SOAP remote code execution attack. (SANS Institute)
       
  • NPort serial device servers produced by Taiwan-based firm, Moxa
    • December 2016: ICS-CERT releases Advisory ICSA-16-336-02. (ICS-CERT)
       
  • MELSEC-Q Series Ethernet Interface Module by Japan-based firm, Mitsubishi Electric
    • December 2016: ICS-CERT releases Advisory ICSA-16-336-03. (ICS-CERT)
       
  • IPELA Engine IP Cameras produced by Japan-based firm, Sony
    • December 2016: SEC Consult publishes a security advisory. (SEC Consult)
       
  • Routers produced by US-based firm, Netgear
    • December 2016: ICS-CERT releases Vulnerability Note VU#582384. (ICS-CERT)
    • December 2016: Netgear releases security advisory for VU#582384 and firmware updates for some affected router models. (Netgear)
    • January 2017: Trustwave SpiderLabs Security releases Advisory TWSL2017-003 on CVE-2017-5521. (Trustwave)
    • January 2017: Netgear releases fixes and workaround procedures for some models affected by the Web GUI password recovery and exposure security vulnerability. (Netgear)
       
  • SmartCam IP Security Cameras produced by South Korean-based firm, Samsung
    • January 2017: CSO Reports on critical flaw discovered in Samsung SmartCam. (CSO)
    • January 2017: Researchers outline vulnerabilities and fixes. (Exploitee.rs)
        
  • ZyXEL and Billion Routers distributed by Thai ISP, TrueOnline
    • January 2017: Security researcher Pedro Ribeiro discloses vulnerabilities. (SecLists.org)
       
  • Baseboard Micro Controller (BMC) vulnerability produced by US-based firm, Supermicro
    • January 2017: Security researcher discloses vulnerability tied to port 49152. (CARI.net)
       
  • Websmart Switch Series DGS-1510 produced by US-based firm, D-Link Systems, Inc.
    • February 2017: D-Link Systems, Inc. releases firmware updates. (D-LINK)


    Strategies to Prevent and Mitigate Potential IoT CompromisE

    To detect devices that are vulnerable to, or have been infected with, the Mirai botnet malware, Imperva and Rapid7 have both released free tools designed to scan networks for common IoT devices. Imperva’s tool, the Mirai Vulnerability Scanner, is available on, and can be directly run from, the company’s website. Rapid7’s tool, the IoTSeeker, is available for download from GitHub.com but can only be installed on a Linux or Mac system. The NJCCIC makes no claim as to the effectiveness of either of these tools and users are advised to exercise caution when downloading and installing any software from the internet.

    • Disconnect the infected device from the network.
       
    • Disconnect the infected device from its power source, and drain the remaining power from the internal battery, if applicable. Some botnet Trojans run from the memory of the infected device so removing the power source will clean the infection.
       
    • Perform a reboot and, if possible, reset the device to its factory-default settings.
       
    • Access the device’s administration panel. This may be done either on the device itself or through a web browser. Once you have gained access, immediately change the default login credentials to something more secure, using a combination of upper and lowercase letters, numbers, and non-alphanumeric characters or symbols.
       
    • Ensure that the device has the most up-to-date version of the firmware installed and apply patches as soon as they are released. Consult the product documentation or the manufacturer’s website for instructions on how to check the firmware version and download and install patches and updates.

    It is important to note that, in some cases, resetting the device, changing login credentials, and updating firmware will not completely eliminate the possibility or potential of compromise, especially if the malware is being delivered via the firmware itself or if there is an issue with the underlying hardware. Also, if the device contains hardcoded credentials or if consumers cannot disable SSH or Telnet access to the device, there is the potential for additional compromise. Consumers are then left with only a few remaining options:

    • Search online for any published security alerts or publicly-posted consumer complaints regarding security problems with your particular device.
       
    • Discontinue the use of any vulnerable device that has not been patched, or cannot be patched, by the vendor.


    Prevention and Mitigation Strategies for Network Administrators

    • Establish a network activity baseline prior to connecting any IoT devices to your network. Continue to monitor both the inbound and outbound traffic on your network after connecting the device(s) for spikes in traffic or other anomalies.
       
    • Disable Universal Plug and Play (UPnP) on routers.
       
    • Disable SSH (TCP/22) and Telnet (TCP/23) access.
       
    • Proactively block any unused and unnecessary ports.
       
    • Botnet activity has been detected on the following ports and proactively blocking these ports is strongly advised:
      • TCP/103 (block incoming traffic)
      • TCP/2323 (block incoming traffic)
      • TCP/23231 (block incoming traffic)
      • TCP/6789 (block incoming traffic)
      • TCP/48101 (block outgoing traffic)


    REPORTING

    If your organization is the victim of an botnet attack, or would like to learn more about the NJCCIC, please contact a Cyber Liaison Officer at njccic@cyber.nj.gov.