Due to Misconfigured Component: DemonBot Malware Infects Multiple Apache Hadoop Servers

DDoS (Denial of Service Attack) malware have been wreaking havoc to online services on a fairly regular basis these days. Since last month, some Apache Hadoop servers have been observed of being infected by a DDoS botnet, DemonBot. The Botnet’s command and control servers are highly active and still online at the time of this writing. In its current status, the command and control servers operating DemonBot has grown to 70 servers, according to Radware, a cybersecurity consulting firm.

“DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles,” explained Pascal Geenens, Radware’s Cybersecurity Evangelist.

The existence of a misconfigured YARN in Hadoop servers is the primary channel which is exploited by DemonBot to penetrate the security protocols. Yet Another Resource Negotiator is a vital component of Apache Hadoop as a data processing protocol. Unpatched YARN module on Hadoop servers is vulnerable to DemonBot infection.

“DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands. When a new DemonBot is started, it connects to the C2 server which is hardcoded with IP and port. If no port was specified for the C2 server the default port 6982 is used. The C2 connection is plain text TCP. If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP. The <spoofit> argument works as a netmask. If spoofit is set to 32, there is no spoofing of the bot’s source IP. If spoofit is set to a number less than 32, a random IP is generated within the bot_ip/<spoofit> network every <pollinterval> packets,” added Geenens.

It took two full years before certain malware has taken advantage of the YARN misconfiguration. “Unfortunately, we have no count on actual bots [infected Hadoop servers]. Bots are not scanning and exploiting, so they do not generate noise [traffic] which we can detect and map out,” concluded Geenens. As DemonBot becomes known to many antimalware solutions and threat detection systems, its effects will be diminished and the industry is set to lessen its DDoS effects soon. However, it is not surprising if new malware will take advantage of dormant vulnerabilities on any exposed servers on the Internet.

The only defense against future attacks is the investment of system administrators and IT staff with continued training and knowledge enhancement. This will help them become updated of the latest threats happening in the world, in order to prepare for mitigations, if not preventions. End-user education is also a key, as they are the frontlines when it comes to cybersecurity.