Operators behind the DemonBot botnet target an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator).
DemonBot bot only infects central servers, at the time of the report experts found over 70 active exploit servers spreading the malware and targeting systems at an aggregated rate of over 1 million exploits per day.
“DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day.” reads the analysis published by Radware.
“Note that though we did not find any evidence that DemonBot is actively targeting IoT devices at this time, Demonbot is not limited to x86 Hadoop servers and is binary compatible with most known IoT devices, following the Mirai build principles.”
Even if the binary is compatible with most known Internet of Things (IoT) devices, the bot was not observed targeting smart objects until now.
Experts investigating the botnet discovered that the malware author had actually published the source code for the bot on Pastebin at the end of September.
“Searching through pastebin archives soon revealed a unique match on a document that was pasted on Sept 29th by an actor going by the alias of Self-Rep-NeTiS. The paste contained the full source code for a botnet which the actor dubbed ‘DemonBot’.” reads the report.
“Further searches through the archives revealed the source code for the Command and Control server DemonCNC and the Python Build script for the multi-platform bots.”
The DemonBot C&C server provides two services:
When the malicious code is started, it connects in plain text TCP to the C&C server, IP address and port are hardcoded (default port 6982).
The malware first collects information on the system (IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server)), then send them to C2.
The operators can send the bot the following commands:
wThe commands also include a <spoofit> argument that works as a netmask, it allows to spoof the bot’s source IP if the spoofit number is set to less than 32.
Further details, including IoCs, are reported in the analysis published by Radware.