Enemybot is a new botnet that is conducting DDoS (Distributed Denial of Service) assaults on several routers and websites. It is attacking various routers and websites by leveraging existing vulnerabilities in ARM, BSD, x64, x86, and other architectures. Enemybot was identified by FortiGuard labs in mid-March.
This botnet is mostly based on the source code of Gafgyt, however it has been reported to borrow various modules from Mirai’s original source code. To avoid detection, the Enemybot employs a number of obfuscation techniques and hides Command and control (C2) server on the TOR network. The Enemybot botnet spreads and assaults other IoT devices through a variety of tactics. It attempts to gain access to systems using weak or default credentials by logging into devices with a list of hardcoded username/password combinations. By running shell commands, the bot also attempts to infect misconfigured Android devices that expose the Android Debug Bridge port (5555). Enemybot has been observed infecting Seowon Intech and D-Link routers as well as abusing a previously disclosed iRZ router vulnerability.
The bot leverages a number of known and previously disclosed loopholes, which include: –
- SEOWON INTECH SLC-130 and SLR-120S routers are vulnerable to CVE-2020-17456.
- Earlier D-Link routers were vulnerable to CVE-2018-10823.
- CVE-2022-27226 affects iRZ mobile routers.
- CVE-2022-25075 to 25084 affects TOTOLINK routers, which were formerly used by the Beastmode botnet.
- CVE-2021-41773/CVE-2021-42013 is a vulnerability that affects Apache HTTP servers.
- CVE-2018-20062: This vulnerability affects the ThinkPHP CMS.
- CVE-2017-18368 is a vulnerability that affects Zyxel P660HN routers.
- CVE-2016-6277 is a vulnerability that affects NETGEAR routers.
- CVE-2015-2051 is a vulnerability that affects D-Link routers.
- CVE-2014-9118 is a vulnerability that affects Zhone routers.
Once one of the foregoing problems has been exploited, the bot will use the shell command LDSERVER to download a shell script from a URL that the C2 server will dynamically update. The script then downloads the real Enemybot binary, which is adapted to the target device’s architecture. If the download server goes down, the botnet managers can update the bot clients with a new URL. The bot connects to its C2 server after being placed on a device and waits for new orders.
Enemybot connects to the C2 server and waits for orders to be executed when a device is infected. Although the majority of the instructions are connected to DDoS assaults, the virus is not just focused on them. Fortinet presents the following set of supported commands: –
- ADNS: Perform a DNS amplification attack with ADNS.
- ARK: Stealth survival while launching an attack on the game’s servers.
- BLACKNURSE — Flood the target with ICMP packets indicating that the destination port is unreachable.
- DNS – Inundate DNS servers with DNS UDP requests that have been hardcoded.
- HOLD – Flood the target with TCP connections and keep them alive for a certain amount of time.
- HTTP — Send a flood of HTTP requests to the destination.
- JUNK — Flood the destination with non-zero-byte UDP packets at random intervals.
- OVH – Send custom UDP packets to OVH servers.
- STD — Send a flood of random-byte UDP packets to the destination.
- TCP — Send a flood of TCP packets to the target with forged source headers.
- TLS — Carry out an SSL/TLS attack.
- UDP — Send UDP packets with forged source headers to the destination.
- OVERTCP — Use randomized packet delivery intervals to launch a TCP assault.
- STOP — Put an end to continuous DoS assaults.
- LDSERVER – Update the exploit payload download server.
- SCANNER — SSH/Telnet brute-force attacks and vulnerabilities spread to additional devices.
- TCPOFF/TCPON — Turn the sniffer off or on at ports 80, 21, 25, 666, 1337, and 8080, potentially to gather credentials.
Preventing Botnet Attacks
Always apply the latest available software and firmware updates for your product to prevent Enemybot or any other botnet from infecting your devices and recruiting them to malicious DDoS botnets.
One of the most common signs that your router may be infected with a botnet malware infection is that the router may become non-responsive, internet speeds drop, and the router becomes hotter than usual. In such a scenario, you should restart the router and change the passwords. It is also advised to take services of specialized cyber-security professionals to find and weed out the problem.
Centex Technologies provide state-of-the-art cybersecurity and network security solutions for businesses. To know more, contact Centex Technologies at Killeen (254) 213-4740, Dallas (972) 375-9654, Atlanta (404) 994-5074, and Austin (512) 956-5454.
A Malware-Bot is a type of malware that exercises control over the infected machine once the infection spreads through the system. It acts according to the instructions given by the master i.e. malware writer. Following are some most commonly asked questions about Malware Botnet:
- What Actions Does A Malware Bot Perform?
A Malware Bot can perform numerous tasks such as-
- Spying & tracking
- Sending spams, hosting command servers, working as proxies & performing other malicious activities
- Accessing corporate resources & hijacking
- Stealing confidential information, documents, credentials, etc.
- Bitcoin mining
- Web browsing
- Do All Malware Bots Perform The Same Actions?
The bot can perform all the above mentioned actions, however there are two types of malware actions that the Malware Bot does not perform, not because it is incapable to do so but because they make little business sense. Following are the two malware actions:
- Actions Which Impend The Machine: A Malware Bot cannot work in a damaged environment. When the software environment is damaged the machine is usually reinstalled, thus removing the bot. So, Malware Bot does not usually perform an action that would restrain it from running on the machine.
- Actions That Reveal The Infection: A bot does not want a user to know about its presence on their machine, which is why it operates stealthily. Thus, it does not resort to activities such as modifying browser setting, popping up dialogue box, etc.
- How Are Botnets Investigated?
When the malware is launched, it reaches the malware researchers sooner or later. They capture it through various channels such as malware spam, honeypots, phishing sites, product reports, etc. Once captured, the malware researchers analyze it in a controlled environment to receive the updates.
- How Is A Botnet Controlled?
It is controlled by a computer or a group of computers running a command & control server (C&C server). The server communicates & sends instructions to the Malware Bot in the format understood by it. The server then performs numerous functions such as instructing the bots to schedule or execute a task, keeping track of number & distribution of bots as well as updating the bots by replacing them with a new type of malware.
- Why Do Botnets Emerge?
The main reason why the malware writers develop, deploy & maintain a botnet is to tap on financial gains.
- How To Prevent A Malware Botnet?
After understanding the working of a malware botnet, let us know how to prevent it:
- Update your operating system regularly.
- Avoid downloading from P2P & file sharing networks.
- Don’t click on suspicious attachments & links.
- Install a good antivirus software.
- Follow good surfing habits.
For more information, call Centex Technologies at (254) 213-4740.