When asked to think of a botnet, any botnet, many researchers and journalists will list Emotet. The botnet is, without doubt, one of the more dangerous Botnets seen in recent memory. Been used to distribute the Ryuk ransomware will most certainly grab headlines and the attention of those who made cybersecurity their careers. A new botnet recently discovered, called Roboto, will also look to dominate headlines in the near future. Not for features it boasts but rather the network infrastructure behind it.
Typically in the past Botnets were seen as a collection of internet-connected devices turned into bots by malware to run DDoS attacks, steal data, and send spam. Newer botnets can also be seen distributing other forms of malware, like in the case of Emotet. Traditionally, most botnet operations have been associated with carrying out DDoS attacks, however, as hackers saw that their botnets could be used for other purposes they looked to add a raft of features to run multiple applications.
Roboto appears to have first become active of the past summer and targets Linux servers running Webmin, in particular, unpatched versions of Webmin still vulnerable to CVE-2019-15107. Webmin is a popular web-based application used by system administrators to manage remote Unix-based systems, such as Linux, FreeBSD, or OpenBSD servers. The vulnerability when exploited would allow a remote attacker to execute malicious commands with root privileges on the machine running Webmin. Once this machine is compromised, an attacker could then use it to launch attacks on the systems managed through Webmin.
Soon after the vulnerability was disclosed did hackers begin to try and exploit the flaw. At the time of the disclosure, a quick search on Shodan would reveal that nearly 30,000 servers had not patched the software and were still vulnerable. It is important to note that upon disclosure and update patching the flaw was released. Analysis of the flaw deemed that it was easy enough to exploit and given the number of vulnerable devices it was little wonder hackers looked to exploit the flaw. The same methodology in all likelihood prompted the operators of Roboto to begin operations. In a report published by the Netlab team based at Chinese cyber-security vendor Qihoo 360, researchers announced the discovery of Roboto looking to exploit the above-mentioned flaw for the past 3 months or more.
According to the researchers, the Botnet is still under development and primarily focussed on growing in size. Along with the turning of Linux servers running Webmin into so-called zombies, infected devices that could be used at a later stage to carry out attacks. Along with the expansion of infected servers, researchers noted that the code itself has increased in complexity. The complexity in the code appears to be built around the main feature of the code that is the ability to conduct DDoS attacks. The DDoS ability of the botnet has been developed to target several attack vectors. This includes launching attacks via ICMP, HTTP, TCP, and UDP. Over the last three months, the developers have added a number of features which include the capability to:
- Function as a reverse shell and let the attacker run shell commands on the infected host
- Collect system, process, and network info from the infected server
- Upload collected data to a remote server
- Run Linux system() commands
- Execute a file downloaded from a remote URL
- Uninstall itself
Rare P2P Botnet
These added features are not unique to Roboto as many modern botnets carry similar features. The feature is set has come to be the norm amongst modern botnets. Roboto is unique though in one very important aspect. Roboto is what has come to be known as a Peer to Peer (P2P) botnet. This means that the bots are connected across a P2P network allowing for the relay of commands from a central command and control server. Most other botnets rely on connecting bots directly to the command and control server (C&C). In the case of Roboto, most of the infected devices are merely zombies, programmed only to respond to commands but a few of the bots are selected for specialized operations. These bots prop up the P2P network and can scan for other Linux servers running unpatched versions of Webmin. This allows for the further spread of the botnet not completely dependent on instructions from the C&C server.
There are only two other botnets designed with similar infrastructure. Those being Hajime and Hide&Seek. The fear with botnets designed to operate across a P2P network as that they will be very hard to sink by a third party. Only the operators of the botnet can decide when to cease operations. As the botnet is decentralized to a point stopping them may prove to be difficult in the extreme. Hajime has come under constant attack in an attempt to stop it. None have been successful, rather the Botnet has spread at a rate that would have made the Black Death blush. Hajime, on average, infects 40,000 devices a day, with infections peaking at 95,000 a day.
Roboto, by all accounts, is not at the size of Hajime with an exact size still needing to be determined. Given Roboto’s infrastructure, it will be just as hard to stop. Another consideration is the increasing complexity of Roboto. While still primarily a tool to carry out DDoS attacks it may not be long until the botnet is used to distribute ransomware or banking trojans.