New DemonBot Discovered

130
40920

Are you using Hadoop for data analytics? If so, know that a new bot is targeting Hadoop clusters with the intention of performing DDoS attacks powered by the strength of cloud infrastructure servers. Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.

Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.

It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices. The DDoS attack vectors supported by DemonBot are UDP and TCP floods.

Hadoop YARN Exploits

Radware Research has been tracking malicious actors exploiting a Hadoop YARN unauthenticated remote command execution for which proof of concept code was first published here in March of this year. YARN, Yet Another Resource Negotiator, is a prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform. YARN exposes a REST API which allows remote applications to submit new applications to the cluster. The exploit requires two steps:

Our deception network recorded repeated attempts for /ws/v1/cluster/apps/new-application, slowly starting end of September and growing to over 1 million attempts per day for most of October.

The number of unique IPs from where the requests originated grew from a few servers to over 70 servers this week.

Older exploits from servers that are offline by now were referencing a well-known Mirai variant Owari, infamous because of the weak password used by the hackers for securing their command and control database:

Recently, however, we found Owari to be replaced by a new bot:

This new ‘bash’ binary was added to the server on Sunday Oct 21st. The same server also hosts the typical shell script we came to expect from multiplatform IoT malwares:

While the botnet comes with all the typical indicators of Yet-Another-Mirai-Botnet, a closer look at the binaries revealed to be different enough to continue the investigation.

DemonBot v1 – © Self-Rep-NeTiS

The reversing of the unstripped ‘bash’ binary revealed some unfamiliar function names and an atypical string which provided a unique fingerprint for the botnet code:

Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’. Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.

Both DemonBot.c and DemonCNC.c had an identical signature:

DemonCNC

The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:

  • A bot command and control listener service – allowing bots to register and listen for new commands form the C2
  • A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet

Starting the C2 service requires 3 arguments: a bot listener port, the number of threads and a port for the remote access CLI.

Credentials for remote users are stored in a plain text file ‘login.txt’ in the format “username password” using one line per credential pair.

Upon connecting to the remote access CLI (port 8025 in our demo setup) using telnet, the botnet greets us and asks for a username followed by a password prompt. If the provided credentials match one of the lines in the login.txt file, the user is given access to the bot control interface.

The HELP command reveals the botnet commands which will be discussed below in the section about DemonBot itself.

DemonBot

DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP.

Once successfully connected, DemonBot sends information about the infected device to the C2 server in the format:

Bot_ip

The public IP address of the device or server infected with DemonBot:

Port

Either 22 or 23 depending on the availability of python or perl and telnetd on the device/server:

Build

“Python Device”, “Perl Device”, “Telnet Device” or “Unknown” depending on the availability of a Python or Perl interpreter on the device server:

Arch

The architecture, determined at build time and depending on the executing binary on the compromised platform – supported values for Arch are: x86_64 | x86_32 | Arm4 | Arm5 | Arm6 | Arm7 | Mips | Mipsel | Sh4 (SuperH) | Ppc (PowerPC) | spc (Sparc) | M68k | Arc

OS

Limited identification of the host OS running the bot based on package installer configuration files. Value is either “Debian Based Device”, “REHL Based Device” or “Unknown OS”

Malicious payloads

The bot supports the following commands:

If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP.

The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets:

Fixed payload used by the STD UDP attack:

IOC

8805830c7d28707123f96cf458c1aa41  wget
1bd637c0444328563c995d6497e2d5be  tftp
a89f377fcb66b88166987ae1ab82ca61  sshd
8b0b5a6ee30def363712e32b0878a7cb  sh
86741291adc03a7d6ff3413617db73f5  pftp
3e6d58bd8f10a6320185743d6d010c4f  openssh
fc4a4608009cc24a757824ff56fd8b91  ntpd
d80d081c40be94937a164c791b660b1f  ftp
b878de32a9142c19f1fface9a8d588fb  cron
46a255e78d6bd3e97456b98aa4ea0228  bash
53f6451a939f9f744ab689168cc1e21a  apache2
41edaeb0b52c5c7c835c4196d5fd7123  [cpu]

 

Read the “IoT Attack Handbook – A Field Guide to Understanding IoT Attacks from the Mirai Botnet and its Modern Variants” to learn more.

Download Now

Previous articleThe Delta Airlines Security Breach: A Case Study in How to Respond to a Data Breach
Next articleThe Million-Dollar Question of Cyber-Risk: Invest Now or Pay Later?
As the Director, Threat Intelligence for Radware, Pascal helps execute the company's thought leadership on today’s security threat landscape. Pascal brings over two decades of experience in many aspects of Information Technology and holds a degree in Civil Engineering from the Free University of Brussels. As part of the Radware Security Research team Pascal develops and maintains the IoT honeypots and actively researches IoT malware. Pascal discovered and reported on BrickerBot, did extensive research on Hajime and follows closely new developments of threats in the IoT space and the applications of AI in cyber security and hacking. Prior to Radware, Pascal was a consulting engineer for Juniper working with the largest EMEA cloud and service providers on their SDN/NFV and data center automation strategies. As an independent consultant, Pascal got skilled in several programming languages and designed industrial sensor networks, automated and developed PLC systems, and lead security infrastructure and software auditing projects. At the start of his career, he was a support engineer for IBM's Parallel System Support Program on AIX and a regular teacher and presenter at global IBM conferences on the topics of AIX kernel development and Perl scripting.

130 COMMENTS

  1. […] D’abord repéré à ses balbutiements dans les données d’un honeypot par un chercheur de NewSky Security, le botnet a mûri et s’est développé entre-temps. Alors qu’au départ, le botnet se composait de quelques serveurs de commande et de contrôle Radware explique maintenant que le botnet s’est développé à plus de 70 serveurs dans une alerte publiée aujourd’hui. […]

  2. […] Hadoop YARN漏洞的利用相对简单,这个命令注入漏洞允许攻击者执行任意shell命令。上个月,另一家网络安全公司Radware就曾发现,这个漏洞被用于安装DemonBot DDoS僵尸病毒。在很多方面,这个漏洞与Netcout 在物联网设备中发现的其他漏洞类似。例如,CVE-2014-8361(存在于Realtek的UPnP SOAP接口中的一个漏洞)也可以通过向具有特定参数的特殊端口发送HTTP请求来诱导shell命令的执行来利用,而该漏洞也曾被用于提供Mirai变种。 […]

  3. Optional, aber empfehlenswert, ist die Verwendung eines schwammartigen Dauerfilters, der Katzenhaare, Staub, Futterreste oder Katzenstreukrümel aufnimmt. Dadurch https://zukunft-hannover.de/ muss der Brunnen nicht so oft gereinigt werden. Meist kann man diese separat bestellen oder den Katzenbrunnen gleich zusammen mit einem solchen Filter kaufen.

  4. A fascinating discussion is definitely worth comment.
    I believe that you should publish more on this subject matter, it might not be a taboo subject but generally folks don’t talk about
    these topics. To the next! All the best!!

  5. Thanks for another fantastic article. The place else may anybody get that kind of information in such an ideal manner of writing?

    I’ve a presentation next week, and I am on the look for such information.

  6. After going over a number of the blog posts on your web site, I truly appreciate your way of writing
    a blog. I saved as a favorite it to my bookmark webpage list and will be checking back
    in the near future. Please visit my web site as well and
    let me know how you feel.

  7. Thank you a lot for sharing this with all people you actually
    realize what you’re talking approximately! Bookmarked.
    Please also seek advice from my web site =). We can have a hyperlink alternate contract among us

  8. hi!,I love your writing so a lot! percentage we
    keep in touch extra about your post on AOL? I need a specialist in this house to resolve my
    problem. Maybe that is you! Taking a look forward to peer you.

  9. Hmm it seems like your blog ate my first comment (it was super long) so I guess I’ll just sum it up
    what I wrote and say, I’m thoroughly enjoying your blog.
    I too am an aspiring blog writer but I’m still new to everything.
    Do you have any points for inexperienced blog writers? I’d really appreciate it.

  10. you are in point of fact a good webmaster.
    The website loading speed is amazing. It seems that you’re
    doing any distinctive trick. Furthermore, The contents are masterpiece.
    you have performed a magnificent activity on this subject!

  11. Heya outstanding website! Does running a blog like
    this require a great deal of work? I have virtually no knowledge of computer programming however I was hoping to start my own blog soon. Anyhow,
    should you have any suggestions or techniques for new blog owners please share.
    I understand this is off subject however I simply had to ask.
    Cheers!

  12. Have you ever considered publishing an ebook or guest authoring on other sites?

    I have a blog based upon on the same ideas you discuss and would really like to
    have you share some stories/information. I know my audience would
    enjoy your work. If you’re even remotely interested, feel free to shoot me an email.

  13. Finansovo.pl to portal w rzetelny sposób opisujący
    usługi i produkty dostępne w polskich bankach komercyjnych i instytucjach finansowych.
    Bankowość dla klientów indywidualnych, bankowość
    dla MSP i korporacji. Aktualności i promocji bankowe.

  14. This is the perfect site for everyone who really wants to find out
    about this topic. You know so much its almost hard to argue with you (not that I personally would want to…HaHa).
    You definitely put a fresh spin on a subject that has
    been discussed for years. Excellent stuff, just excellent!

  15. Have you ever thought about creating an ebook or guest authoring on other blogs?
    I have a blog based on the same ideas you discuss and would love to have you share some stories/information. I know my readers would enjoy your work.
    If you’re even remotely interested, feel free to send me an e mail.

  16. Thanks for the marvelous posting! I really enjoyed reading
    it, you’re a great author. I will remember to bookmark your
    blog and will come back later on. I want to encourage that you continue
    your great posts, have a nice afternoon!

  17. I’m amazed, I must say. Seldom do I come across a blog that’s equally educative and interesting, and let
    me tell you, you have hit the nail on the head. The problem is an issue that
    too few folks are speaking intelligently about. Now i’m very happy that I stumbled across this in my search for something relating to this.

  18. Thank you for your informative article, if you are looking for House Cleaning Services or Office Cleaning Services then please visit our cleaning services.

  19. Spesial Promo Khusus Member Setia Di Situs CrownQQ
    Yuk Buruan Daftar Dan Mainkan 9 Game Berkualitas Hanya Di Situs CrownQQ
    Agen BandarQ Terbesar Dan Terpercaya Di indonesia
    Rasakan Sensasi serunya bermain di CrownQQ, Agen BandarQ Yang 100% Gampang Menang
    Games Yang di Hadirkan CrownQQ :
    * Poker Online
    * BandarQ
    * Domino99
    * Bandar Sakong
    * Sakong
    * Bandar66
    * AduQ
    * Sakong
    * Perang Baccarat (New Game)

    Promo Yang Hadir Di CrownQQ Saat ini Adalah :
    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 20.000
    => Minimal WD 20.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android
    => Di Layani Dengan 5 Bank Terbaik

    <>
    WHATSAPP : +855882357563
    LINE : CS CROWNQQ
    TELEGRAM : +855882357563

    Link Resmi CrownQQ:
    RATUAJAIB. COM
    RATUAJAIB. NET
    RATUAJAIB. INFO

    DEPOSIT VIA PULSA TELKOMSEL | XL 24 JAM NONSTOP

    CROWNQQ | AGEN BANDARQ | ADUQ ONLINE | DOMINOQQ TERBAIK | DOMINO99 ONLINE TERBESAR

  20. The girls spread their legs and want to feel your
    thick dick deep in her cunt. Feel free to reach to let us know if you
    have any comments or questions. The whole point of a chatroom is to
    get you talking with hot girls so it’s nice that there are sites that let
    you cut to the chase. Our platform allows all people to meet other
    guys online including gay men, bi guys, and even straight boys who are curious
    and want to try a new experience. Manga sex alien gay twink porn gay teen porn, enema spanking stories uncut twinks.

    Hung black twinks first time gay sex, rape in iraq free gay cock sucking twink
    fucking cum. Sonic hentai galleries erotic rape forced twinks.
    Adult Sex Chat and Live Sex Cams with the hottest British Cams Girls Hundreds of British Live Sex cams models that promise
    you a breathtaking erotic sex chat.

  21. Just want to say your article is as astonishing. The clarity in your put up is simply
    cool and that i could suppose you are knowledgeable
    in this subject. Well along with your permission let me to seize
    your feed to keep up to date with forthcoming
    post. Thank you 1,000,000 and please keep up the enjoyable work.

  22. Spesial Promo Khusus Member Setia Di Situs CrownQQ
    Yuk Buruan Daftar Dan Mainkan 9 Game Berkualitas Hanya Di Situs CrownQQ
    Agen BandarQ Terbesar Dan Terpercaya Di indonesia
    Rasakan Sensasi serunya bermain di CrownQQ, Agen BandarQ Yang 100% Gampang Menang
    Games Yang di Hadirkan CrownQQ :
    * Poker Online
    * BandarQ
    * Domino99
    * Bandar Sakong
    * Sakong
    * Bandar66
    * AduQ
    * Sakong
    * Perang Baccarat (New Game)

    Promo Yang Hadir Di CrownQQ Saat ini Adalah :
    => Bonus Refferal 20%
    => Bonus Turn Over 0,5%
    => Minimal Depo 20.000
    => Minimal WD 20.000
    => 100% Member Asli
    => Pelayanan DP & WD 24 jam
    => Livechat Kami 24 Jam Online
    => Bisa Dimainkan Di Hp Android
    => Di Layani Dengan 5 Bank Terbaik

    <>
    WHATSAPP : +6287771354805
    LINE : CS_CrownQQ
    TELEGRAM : +855882357563

    Link Resmi CrownQQ:
    RATUAJAIB.COM
    RATUAJAIB.NET

    DEPOSIT VIA PULSA TELKOMSEL | XL 24 JAM NONSTOP

    CrownQQ | Agen DominoQQ | BandarQ dan Domino99 Online Terbesar

  23. I don’t know whether it’s just me or if everybody else
    encountering issues with your site. It appears like
    some of the written text within your posts are running off the screen. Can someone else please provide feedback and let me know if this is happening to them too?

    This may be a problem with my internet browser because I’ve had this
    happen before. Cheers

  24. Cari uang tambahan dengan modal 20 ribu..??
    Bonus Rollingan 0,5% Setiap senin
    Bonus Referal 20% Seumur hidup
    Ayo gabung di CROWNQQ
    WHATSAPP : +6287771354805
    LINE : CS CROWNQQ
    TELEGRAM : +855882357563
    LINK :
    ratuajaib,com
    ratuajaib,net

    Deposit VIA PULSA TELKOMSEL dan XL 24 JAM

    #CrownQQ#travel#sunset#Domino99 Online Terbesar#

  25. After going over a handful of the articles on your website,
    I really appreciate your technique of writing a blog.
    I saved as a favorite it to my bookmark webpage
    list and will be checking back in the near future. Please check out my website too
    and tell me your opinion.

  26. First off I would like to say fantastic blog!

    I had a quick question in which I’d like to ask if you don’t mind.
    I was curious to find out how you center yourself and clear your mind before writing.

    I have had a difficult time clearing my mind in getting my ideas out.
    I truly do take pleasure in writing however it just seems like the first
    10 to 15 minutes are lost simply just trying to figure
    out how to begin. Any suggestions or tips? Many thanks!

  27. I believe this is among the such a lot important information for me.
    And i’m satisfied studying your article. But want to statement on few general things,
    The site style is wonderful, the articles is truly great :
    D. Excellent activity, cheers

  28. hi!,I love your writing very a lot! percentage we keep up a correspondence extra approximately your post
    on AOL? I need an expert on this house to solve my problem.
    Maybe that’s you! Having a look forward to look you

  29. I don’t know if it’s just me or if perhaps everybody else experiencing problems
    with your blog. It appears like some of the text on your content are running off the screen. Can somebody else please comment and let me know
    if this is happening to them as well? This might be a
    issue with my browser because I’ve had this happen before.

    Cheers

  30. Thank you for every other great article. Where else could anybody get that type of information in such
    an ideal manner of writing? I have a presentation next week,
    and I am on the look for such info.

  31. you are truly a just right webmaster. The web site loading velocity is amazing. It sort of feels that you are doing any distinctive trick. Furthermore, The contents are masterwork. you have done a great process on this subject!

  32. Hi, i believe thbat i noticed you visited my site soo i got here to go back the desire?.I’m attempting
    to in finding issues to improve my website!I guess its adequate to make use of
    a few of your concepts!!

  33. Hi buddy,
    Great, Seriously This post was damn awesome, One thing that strikes me the most is your style of writing… Whoa, you explain kinds of stuff so elegantly, I could understand the concept behind this very well just by reading it once.
    Thanks for sharing this wonderful article, I definitely will share it on social media platforms.

  34. Thank you a lot for sharing this with all folks you really
    recognise what you are talking approximately! Bookmarked. Kindly also discuss with my
    site =). We can have a link trade agreement among us

  35. Can I simply just say what a comfort to discover a person that actually
    knows what they’re discussing on the net. You definitely
    understand how to bring a problem to light and make it important.
    More people have to read this and understand
    this side of your story. I was surprised that you are not more
    popular because you definitely have the gift.

  36. I don’t know if it’s just me or if perhaps everybody else experiencing problems
    with your blog. It appears like some of the text on your content are running off the screen. Can somebody else please comment and let me know
    if this is happening to them as well? This might be a
    issue with my browser because I’ve had this happen before.

  37. After going over a handful of the blog articles on your site, I
    honestly like your technique of writing a blog.
    I book-marked it to my bookmark site list and will be checking back in the near
    future. Please visit my website too and tell me your opinion.

  38. I think everything posted was actually very logical.

    But, think about this, what if you composed a catchier
    title? I ain’t saying your information isn’t good., but
    what if you added a post title that grabbed a person’s
    attention? I mean New DemonBot Discovered | Radware Blog is kinda plain. You could
    look at Yahoo’s home page and note how they create
    post titles to grab viewers interested. You might add
    a related video or a pic or two to get people interested about what you’ve written.
    Just my opinion, it could make your blog a little bit more interesting.

LEAVE A REPLY

Please enter your comment!
Please enter your name here