New DemonBot Discovered

56
17837

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

Recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

 

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Previous articleThe Delta Airlines Security Breach: A Case Study in How to Respond to a Data Breach
Next articleThe Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?
Recognized Cyber Security and Emerging Technology thought leader with 20+ years of experience in Information Technology As the EMEA Cyber Security Evangelist for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

56 COMMENTS

  1. […] D’abord repéré à ses balbutiements dans les données d’un honeypot par un chercheur de NewSky Security, le botnet a mûri et s’est développé entre-temps. Alors qu’au départ, le botnet se composait de quelques serveurs de commande et de contrôle Radware explique maintenant que le botnet s’est développé à plus de 70 serveurs dans une alerte publiée aujourd’hui. […]

  2. […] Hadoop YARN漏洞的利用相对简单,这个命令注入漏洞允许攻击者执行任意shell命令。上个月,另一家网络安全公司Radware就曾发现,这个漏洞被用于安装DemonBot DDoS僵尸病毒。在很多方面,这个漏洞与Netcout 在物联网设备中发现的其他漏洞类似。例如,CVE-2014-8361(存在于Realtek的UPnP SOAP接口中的一个漏洞)也可以通过向具有特定参数的特殊端口发送HTTP请求来诱导shell命令的执行来利用,而该漏洞也曾被用于提供Mirai变种。 […]

  3. Optional, aber empfehlenswert, ist die Verwendung eines schwammartigen Dauerfilters, der Katzenhaare, Staub, Futterreste oder Katzenstreukrümel aufnimmt. Dadurch https://zukunft-hannover.de/ muss der Brunnen nicht so oft gereinigt werden. Meist kann man diese separat bestellen oder den Katzenbrunnen gleich zusammen mit einem solchen Filter kaufen.

  4. A fascinating discussion is definitely worth comment.
    I believe that you should publish more on this subject matter, it might not be a taboo subject but generally folks don’t talk about
    these topics. To the next! All the best!!

  5. Thinking it is an abnormality you try to make the
    PS3 back on, and the green light comes on, the thing is a fast flash of your yellow light and then it starts blinking red.
    Start the standard bowling motion, and let go with the ball for the
    back swing. You either send your console up to Sony, or you will start a fix all on your own with the exclusive detail by detail techniques coming from a PS3 repair guide.

  6. To do your best, all of your mental energy has to be concentrated within the present.
    They duplicate your Wii games and in many cases import games off their systems which means your Wii will
    become the greatest gaming machine. Abstraction – Abstraction is really a generic term for art that doesn’t represent recognizable objects.

  7. naturally like your web-site but you have to take a
    look at the spelling on several of your posts. Several of them are rife
    with spelling issues and I find it very bothersome to tell the truth however I’ll surely come back again.

  8. Can I simply just say what a relief to find somebody who genuinely understands what they’re talking about on the net.
    You certainly know how to bring a problem to light and make it important.
    More and more people ought to look at this and understand this
    side of the story. It’s surprising you’re not more popular because you certainly have the
    gift.

  9. Anubhav Trainings is reliable institute across the globe for supplying On the internet and In-class conceptual training.
    The SAP HANA Cloud Integration class curriculum has actually
    been built to address from the basic principles
    to Superior subjects. Each individual subject matter is explained conceptually to gain comprehensive understanding as per the needed essentials of business.
    Our trainers are skilled and pro finish-to-conclude challenge cycle
    implementer’s who can teach our pupils in building skills like analysing and supplying
    ideal support alternatives.

  10. Hello,
    Nice post !
    Thanks for sharing this thing, I like it a lot. This was an extremely nice post
    it has completely useful content for many peopleThis is very good piece of content and I feel really lucky to have the chance of reading it in the first place. Very useful for beginners like me, thank you very much.

  11. Kami adalah agen judi online sbobet asia yang terpercaya di indonesia, bagi kalian yang ingin bermain dan memenangkan uang dengan jumlah puluhan juta rupiah bisa langsung konfirmasi kepada kami di Agen judi sbobet terpercaya Garuda303. Tunggu apalagi ayo bergabung bersama kami dan menangkan hadiah yang tidak ada habisnya dengan masuk ke dalam link alternatif sbobet dan prediksi bola malam ini

LEAVE A REPLY

Please enter your comment!
Please enter your name here