Cybercriminals for profit carry out different types of attacks. The ones that usually report the best results are ransomware and Phishing. Sometimes, either individually or as a group, they generate this malware with the aim of infecting different devices. What makes them more efficient is that they include undiscovered vulnerabilities in routers and other devices. However, today what has happened is that the source code of malware that already existed has been published. In this article, we are going to see how millions of routers and IoT devices are being compromised by malware source code that has been published on GitHub.
Millions of routers and other devices at risk
According to one security provider, “BotenGo» contains exploits for over 30 vulnerabilities in products from multiple vendors and is used to spread the Mirai botnet malware. The authors of this dangerous malware targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub. This means that other criminals can now quickly generate new variants of the tool or use it as it is now to run their campaigns. You may be interested in how to know if your IP is part of a botnet and how to avoid it.
Researchers from AT&T Alien Labs were the first to spot this malware and named it BotenaGo. This malware is written in Go, a programming language that has become quite popular among cyber criminals. In this case comes packed with exploits for over 30 vulnerabilities affecting many brandsincluding Linksys, D-Link, NETGEAR, and ZTE.
How this malware works
As for BotenaGo, it was designed to execute remote shell commands on systems where a vulnerability has been successfully exploited. Last year an AT&T Alien Labs analysis first found that the BotenaGo malware used two different methods to receive commands to attack victims. These two procedures consist of:
- They used two backdoors to listen and receive the IP addresses of the target devices.
- They set up a listener for system I/O user input and receive destination information through it.
These researchers also discovered that the malware is designed to receive commands from a remote server, it does not have any active command and control communication. They thus assumed that BotenaGo was part of a larger malware package and likely one of multiple tools used in an attack. Moreover, the payload links were found to be similar to those used by the Mirai botnet malware. From this it could be deduced that BotenaGo is probably a new tool of the Mirai operators.
IoT devices and millions of routers affected
The reasons why the BotenaGo source code has been released via GitHub are unclear. However, the possible consequences can be estimated. The release of source code could greatly increase BotenaGo variants. The reason is that other malware authors use and adapt the source code for their specific purposes and attack campaigns. This will undoubtedly cause millions of routers and IoT devices to be affected. The affected brands will have to work hard to correct the vulnerabilities and release the corresponding updates as soon as possible to protect these computers. Furthermore, one of the BotenaGo payload servers is also on the indicator of compromise list of the recently discovered Log4j vulnerabilities.
As for the BotenaGo malware, it consists of only 2,891 lines of code and can be a good starting point for new variants. Also, that it comes packed with exploits for more than 30 vulnerabilities for millions of routers and IoT devices is another factor that malware authors are likely to find attractive. Among the many vulnerabilities that BotenaGo can exploit we find:
- CVE-2015-2051 affecting certain D-Link Wi-Fi routers.
- CVE-2016-1555 affecting Netgear products,
- CVE-2013-3307 on Linksys devices.
- CVE-2014-2321 affecting certain ZTE cable modems.
Finally, a worrying fact is that according to AT&T Alien Labs, only three of the 60 VirusTotal antiviruses are currently capable of detecting this malware.
