Endpoint Security , Internet of Things Security
Novel Botnet Dubbed 'Zerobot' Targets Slew of IoT Devices
Zerobot Operators Quickly Updated Malware With Propagation Exploit, Says FortinetA novel botnet is taking advantage of vulnerabilities in a slew of networking equipment and networked cameras with an emphasis on equipment manufactured in East Asia.
See Also: Frost Radar™ on Healthcare IoT Security in the United States
Among the targeted devices are three types of Totolink-brand routers made by Hong Kong-based Zioncom and a variety of cameras made by China-based Hikvision. The botnet, dubbed Zerobot by cybersecurity firm Fortinet, also uses a vulnerability identified in thermal sensor cameras made by U.S.-based Teledyne FLIR.
Zerobot also exploits software vulnerabilities including Spring4Shell, a flaw in the widely used open-source Java application Spring Framework platform, boosting the botnet's chances of success. Spring's parent, VMWare, issued a patch in March.
In all, the botnet exploits 21 separate vulnerabilities. Its operators appear to have purchased two of them from 0day.today - a website purportedly for educational purposes that sells exploits for cryptocurrency.
Once Zerobot infects a device, it downloads a script for further propagation, Fortinet writes. The company first observed the botnet on Nov. 18, when it contained only basic functions. Botnet operators updated the malware on Nov. 24 to include the self-propagation module.
"Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make it harder to detect and give it a higher capability to infect more devices," wrote Cara Lin, a Fortinet researcher.
Researchers chose the name Zerobot based on how the botnet saves itself on infected devices using the filename zero
.
How It Works
After infection, Zerobot copies itself on Windows devices to the Startup folder with the filename FireWall.exe
. Linux has three file paths: %HOME%
, /etc/init/
and /lib/systemd/system/
.
After initialization, Zerobot uses the WebSocket IP protocol to reach its command-and-control server. The commands include:
- ping: Heartbeat, maintaining the connection;
- attack: Launch attack for different protocols: TCP, UDP, TLS, HTTP and ICMP;
- stop: Stop attack;
- update: Install update and restart Zerobot;
- enable_scan: Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker;
- disable_scan: Disable scanning;
- command: Running OS command cmd on Windows and bash on Linux;
- kill: Kill botnet program.
To prevent users from disrupting the Zerobot program, it sets up an AntiKill module that intercepts any signal sent to terminate the process.