WICKED BOTNET USES PASSEL OF EXPLOITS TO TARGET IOT
May 22, 2018
Seid Yassin (531 articles)
Share

WICKED BOTNET USES PASSEL OF EXPLOITS TO TARGET IOT

Yet another variant of the Mirai botnet has appeared on the scene, but this one has a twist: The code is integrated with at least three exploits that target unpatched IoT devices, including closed-circuit cameras and Netgear routers. It also has ties to a web of other botnets, made for DDoS attacks, which can all be traced back to one threat actor.

The original Mirai used traditional brute-force attempts to gain access to connected things in order to enslave them, but the Wicked Botnet, named after the underground handle chosen by its author, prefers to go the exploit route to gain access.

Fortinet’s FortiGuard Labs team analyzed the botnet, and found that the exploits it uses are matched to the ports it uses.

“It scans ports 8080, 8443, 80 and 81 by initiating a raw socket SYN connection; if a connection is established, it will attempt to exploit the device and download its payload,” explained researchers Rommel Joven and Kenny Yang, in the analysis. “It does this by writing the exploit strings to the socket. The exploit to be used depends on the specific port the bot was able to connect to.”

Specifically, port 8080 brings an exploit for a flaw in Netgear DGN1000 and DGN2200 v1 routers (also used by the Reaper botnet); a connection to port 81 makes use of a CCTV-DVR remote code execution flaw; port 8443 connections use a command injection exploit for the Netgear R7000 and R6400 routers (CVE-2016-6277); and port 80 corresponds with an invoker shell in compromised web servers. The latter does not directly exploit the device, but instead takes advantage of compromised web servers with malicious web shells already installed.

“Since a lot of IoT malware (e.g. Mirai) have already attacked devices via default passwords/ brute-forcing, new attacks like Wicked bot are forced to take a different option like the use of exploits to become effective,” explained Joven, in an interview with Threatpost

Source | threatpost