Security researchers have found a new botnet that uses flaws connected to the Satori botnet and uses hosting services running multiplayer versions of Grand Theft Auto to infect IoT devices.
According to a blog post by Radware researcher Pascal Geenens, the botnet uses the vulnerabilities CVE-2014-8361 and CVE-2017-17215, which affect certain Huawei and Realtek routers.
Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”
Geenens said the malware also uses similar techniques as seen in the recently discovered PureMasuta, which had its source code published in an invite-only dark forum as of late.
“Our investigation led us to a C2 server hosted under the domain ‘sancalvicie.com' of which the site provides GTA San Andreas Multi-Player mod servers with DDoS Services on the side,” he said.
One service is called Corriente Divina (“divine stream”) and described as “God's wrath will be employed against the IP that you provide us.” It provides a DDoS service with a guaranteed bandwidth of 90-100Gbps and attack vectors including Valve Source Engine Query and 32bytes floods, TS3 scripts and a “Down OVH” option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016, according to Geenens.
A short time later, Geenens returned to the site and discovered that the DDoS attack service description had changed with an “upgrade” of services to a guaranteed DDoS volume of 290-300Gbps.
This San Calvicie-hosted botnet is “untypical” for IoT botnets Geenens has seen as it uses servers to perform the scanning and the exploits.
“Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims. This distributed scanning provides for an exponential growth of the botnet but comes at the price of flexibility and sophistication of the malware itself,” he said.
Geenens said that unless someone frequently plays GTA San Andreas, people will probably not be directly impacted.
“There is nothing that stops one from using the cheap US$ 20 (£14) per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it,” he added.
Since the discovery, some European providers took down the exploit servers hosted in their datacenters but there are active servers still operational. He warned that JenX can be easily concealed and hardened against takedowns.
“As they opted for a central scan and exploit paradigm, the hackers can easily move their exploit operations to bulletproof hosting providers who provide anonymous VPS and dedicated servers from offshore zones,” he said. “These providers do not care about abuse. Some are even providing hosting services from the Darknet. If the exploit servers would be move to the Darknet, it would make it much more difficult to track down the servers' location and take them down.”
Tony Hart, chief architect at Corero Network Security told SC Media UK that this new JenX Botnet is a standard variant of the Mirai/Satori virus with one major difference and that is that it does not self-propagate and is able to recruit new Botnet members through central services.
“This botnet is designed to specifically target gaming providers and is leveraging two known vulnerabilities. Hackers are offering this botnet as DDoS service with a guaranteed bandwidth of 290 to 300 Gbps so anyone can easily buy the services and add any other payloads for maximum impact,” he said.
David Kennerley, director of threat research, Webroot, told SC Media UK that if JenX has the capabilities it boasts then it has the potential to cause havoc upon being directed towards any target entity.
“Every botnet has the potential to stop employees reaching the internet and/or stopping customers from visiting a merchant's site. Botnets primary goal is disruption, whether for perceived revenge upon a person or organisation or for blackmail purposes. Within industry it's usually about costing the target money,” he said.
“There are two sides to protection. The first is making sure your equipment doesn't become part of the botnet. Keep all devices, especially those “set up and forget” IoT devices, up-to-date and keep abreast of the latest vulnerabilities reported. Importantly, understand which devices need to be internet facing, and correctly configure defensive equipment, like firewalls, and actively monitor all aspects of your IT setup.”
Adam Brown, manager – security solutions at Synopsys, told SC Media UK that IoT software like any other software needs a software security initiative as part of the development cycle making software secure by design. “Surely the future will see IoT device certification, much as we have for hardware today with the addition of a software focus,” he said.
