FacebookTwitterLinkedIn

New Roboto Botnet Turning Linux Servers into Zombies

Karolis Liucveikis Written by on

When asked to think of a botnet, any botnet, many researchers and journalists will list Emotet. The botnet is, without doubt, one of the more dangerous Botnets seen in recent memory. Been used to distribute the Ryuk ransomware will most certainly grab headlines and the attention of those who made cybersecurity their careers. A new botnet recently discovered, called Roboto, will also look to dominate headlines in the near future. Not for features it boasts but rather the network infrastructure behind it.

Typically in the past Botnets were seen as a collection of internet-connected devices turned into bots by malware to run DDoS attacks, steal data, and send spam. Newer botnets can also be seen distributing other forms of malware, like in the case of Emotet. Traditionally, most botnet operations have been associated with carrying out DDoS attacks, however, as hackers saw that their botnets could be used for other purposes they looked to add a raft of features to run multiple applications.

Roboto appears to have first become active of the past summer and targets Linux servers running Webmin, in particular, unpatched versions of Webmin still vulnerable to CVE-2019-15107. Webmin is a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers. The vulnerability when exploited would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.

roboto botnet attacking linux servers

Soon after the vulnerability was disclosed did hackers begin to try and exploit the flaw. At the time of the disclosure, a quick search on Shodan would reveal that nearly 30,000 servers had not patched the software and were still vulnerable. It is important to note that upon disclosure and update patching the flaw was released. Analysis of the flaw deemed that it was easy enough to exploit and given the number of vulnerable devices it was little wonder hackers looked to exploit the flaw. The same methodology in all likelihood prompted the operators of Roboto to begin operations. In a report published by the Netlab team based at Chinese cyber-security vendor Qihoo 360, researchers announced the discovery of Roboto looking to exploit the above-mentioned flaw for the past 3 months or more.

According to the researchers, the Botnet is still under development and primarily focussed on growing in size. Along with the turning of Linux servers running Webmin into so-called zombies, infected devices that could be used at a later stage to carry out attacks. Along with the expansion of infected servers, researchers noted that the code itself has increased in complexity. The complexity in the code appears to be built around the main feature of the code that is the ability to conduct DDoS attacks. The DDoS ability of the botnet has been developed to target several attack vectors. This includes launching attacks via ICMP, HTTP, TCP, and UDP. Over the last three months, the developers have added a number of features which include the capability to:

  • Function as a reverse shell and let the attacker run shell commands on the infected host
  • Collect system, process, and network info from the infected server
  • Upload collected data to a remote server
  • Run Linux system() commands
  • Execute a file downloaded from a remote URL
  • Uninstall itself

Rare P2P Botnet

These added features are not unique to Roboto as many modern botnets carry similar features. The feature is set has come to be the norm amongst modern botnets. Roboto is unique though in one very important aspect. Roboto is what has come to be known as a Peer to Peer (P2P) botnet. This means that the bots are connected across a P2P network allowing for the relay of commands from a central command and control server. Most other botnets rely on connecting bots directly to the command and control server (C&C). In the case of Roboto, most of the infected devices are merely zombies, programmed only to respond to commands but a few of the bots are selected for specialized operations. These bots prop up the P2P network and can scan for other Linux servers running unpatched versions of Webmin. This allows for the further spread of the botnet not completely dependent on instructions from the C&C server.

There are only two other botnets designed with similar infrastructure. Those being Hajime and Hide&Seek. The fear with botnets designed to operate across a P2P network as that they will be very hard to sink by a third party. Only the operators of the botnet can decide when to cease operations. As the botnet is decentralized to a point stopping them may prove to be difficult in the extreme. Hajime has come under constant attack in an attempt to stop it. None have been successful, rather the Botnet has spread at a rate that would have made the Black Death blush. Hajime, on average, infects 40,000 devices a day, with infections peaking at 95,000 a day.

Roboto, by all accounts, is not at the size of Hajime with an exact size still needing to be determined. Given Roboto’s infrastructure, it will be just as hard to stop. Another consideration is the increasing complexity of Roboto. While still primarily a tool to carry out DDoS attacks it may not be long until the botnet is used to distribute ransomware or banking trojans.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

New Removal Guides
Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal

Top Removal Guides
Latest News
Blog