New Botnet That Targets Cloud Servers for DDoS Attacks
Bad news for those who use Hadoop for data analytics…there’s a new botnet out there that’s targeting Hadoop clusters seeking to perform DDoS attacks. (Hadoop, which is an open source distributed processing framework, allows for the distributed processing of large data sets across clusters of computers using simple programming models).
The new, unsophisticated Linux-based botnet is dubbed DemonBot and is being monitored by researchers at Radware Threat Research Center’.
A blog post by the Radware research team discusses the issue in detail; the blog post says, “Radware Threat Research Center is monitoring and tracking a malicious agent that is leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters with an unsophisticated new bot that identifies itself as DemonBot.”
The Radware research team has pointed out that this malware doesn’t exhibit worm-like behavior that’s shown by Mirai-based bots and it spreads only via central servers. The Radware blog post, dated October 25, 2018, explains, “As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day. Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.”
Demonbot’s C&C service is described as “a self-contained C program that is supposed to run on a central command and control server”, which provides two services, namely a bot command and control listener service and a remote access CLI. While the former allows bots to register and listen for new commands from the C2, the latter allows botnet admins and potential ‘customers’ to control the activity of the botnet.
Threats that seek to exploit vulnerabilities that exist in the clouds are now very rampant; in fact, the number of such threats goes on increasing. Moreover, this is not the first time that cloud servers have been targeted. The Radware blog post says, “It is not the first time that cloud infrastructure servers have been targeted. Earlier this month Security Researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop Yarn bug in a Sora botnet variant. Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices.”
To be specially noted is the fact that DemonBot is not limited to infecting Hadoop servers, it’s code shows that it’s also binary compatible with most IoT devices, following the Mirai build principles. Anyhow, there is no evidence which shows that DemonBot is targeting IoT devices.