K
Kathleen Martin
Guest
The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns.
Researchers at AT&T Alien Labs first spotted the malware last November and named it "BotenaGo." The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
Researchers at Alien Labs discovered that while the malware is designed to receive commands from a remote server, it does not have any active command-and-control communication. This led the security vendor to surmise at the time that BotenaGo was part of a broader malware suite and likely one of multiple tools in an infection chain. The security vendor also found that BotenaGo's payload links were similar to the ones used by the operators of the infamous Mirai botnet malware. This led Alien Labs to theorize that BotenaGo was a new tool that the operators of Mirai are using to target specific machines that are known to them.
IoT Devices and Routers Hit For reasons that are unclear, the unknown author of the malware recently made BotenaGo's source code publicly available through GitHub. The move could potentially result in a significant increase in BotenaGo variants as other malware authors use and adapt the source code for their specific purposes and attack campaigns, Alien Labs said in a blog this week. The company said it has observed new samples of BotenaGo surface and in use to spread Mirai botnet malware on IoT devices and routers. One of BotenaGo's payload servers is also in the list of indicators of compromise for the recently discovered Log4j vulnerabilities.
The BotenaGo malware consists of just 2,891 lines of code, making it a potentially good starting point for several new variants. The fact that it comes packed with exploits for more than 30 vulnerabilities in multiple routers and IoT devices is another factor that malware authors are likely to consider appealing. The many vulnerabilities that BotenaGo can exploit include CVE-2015-2051 in certain D-Link wireless routers, CVE-2016-1555 impacting Netgear products, CVE-2013-3307 on Linksys devices, and CVE-2014-2321 that impacts certain ZTE cable modem models.
Continue reading: https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
Researchers at AT&T Alien Labs first spotted the malware last November and named it "BotenaGo." The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE.
BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it.
Researchers at Alien Labs discovered that while the malware is designed to receive commands from a remote server, it does not have any active command-and-control communication. This led the security vendor to surmise at the time that BotenaGo was part of a broader malware suite and likely one of multiple tools in an infection chain. The security vendor also found that BotenaGo's payload links were similar to the ones used by the operators of the infamous Mirai botnet malware. This led Alien Labs to theorize that BotenaGo was a new tool that the operators of Mirai are using to target specific machines that are known to them.
IoT Devices and Routers Hit For reasons that are unclear, the unknown author of the malware recently made BotenaGo's source code publicly available through GitHub. The move could potentially result in a significant increase in BotenaGo variants as other malware authors use and adapt the source code for their specific purposes and attack campaigns, Alien Labs said in a blog this week. The company said it has observed new samples of BotenaGo surface and in use to spread Mirai botnet malware on IoT devices and routers. One of BotenaGo's payload servers is also in the list of indicators of compromise for the recently discovered Log4j vulnerabilities.
The BotenaGo malware consists of just 2,891 lines of code, making it a potentially good starting point for several new variants. The fact that it comes packed with exploits for more than 30 vulnerabilities in multiple routers and IoT devices is another factor that malware authors are likely to consider appealing. The many vulnerabilities that BotenaGo can exploit include CVE-2015-2051 in certain D-Link wireless routers, CVE-2016-1555 impacting Netgear products, CVE-2013-3307 on Linksys devices, and CVE-2014-2321 that impacts certain ZTE cable modem models.
Continue reading: https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-uploaded-to-github
