Tech

Meet dark_nexus, quite possibly the most potent IoT botnet ever

74Views
EnlargeAurich Lawson

A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday. Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs.

Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a “new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that weve seen.” In the three months that Bitdefender has tracked it, dark_nexus has undergone 30 version updates, as its developer has steadily added more features and capabilities.

Significantly more potent

The malware has infected at least 1,372 devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues.

Referring to other IoT botnets, the researchers wrote in a report: “Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust.”

The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs including:

  • arm: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
  • arm5: ELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
  • arm6: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
  • arm7: ELF 32-bit LSB executable, ARM, EABI4 version 1 (GNU/Linux), statically linked, stripped
  • mpsl: ELF 32-bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
  • mips: ELF 32-bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
  • i586: ELF 32-bit LSB executable, Intel 80386, version 1 (GNU/Linux), statically linked, stripped
  • x86: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), statically linked, stripped
  • spc: ELF 32-bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
  • m68k: ELF 32-bit MSB executable, Motorola m68k, 68020, version 1 (SYSV), statically linked, stripped
  • ppc: ELF 32-bit MSB executable, PowerPC or cisco 4500, version 1 (GNU/Linux), statically linked, stripped
  • arc: ?
  • sh4: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linked, stripped
  • rce: ?

Bitdefenders report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures.

The primary purpose of dark_nexus is to perform distributed denial-of-service attacks that take websites and other online services offline by flooding them with more junk traffic than they can handle. To make these assaults more effective, the malware has a mechanism that makes malicious traffic appear to be benign data sent by Web browsers.

Another advanced feature in dark_nexus gives the malware “supremacy” over any other malicious wares that may be installed on compromised devices. The supremacy mechanism uses a scoring system to assess the trustworthiness of various processes running on a device. Processes that are known to be benign are automatically whitelisted.

Unrecognized processes receive scores for certain types of traits. For example, a process that was deleted while running—a behavior thats common with malicious code— receives a score of 90. Executables in directories such as “/tmp/,” “/var/,” or “/dev/”—another telltale sign of malware—receive a score of 90. Other traits receive from 10 to 90 points. Any process that receives 100 points or more is automatically killed.

Dark_nexus can also kill restart processes, a feature that keeps the malware running for longer on a device since most IoT malware cant survive a reboot. To make infections more stealthy, developers use already compromised devices to deliver exploits andRead More – Source