The cybersecurity laboratory AlienLabs of the US provider AT&T has tracked down malware that uses more than 30 exploits to compromise Internet of Things devices and routers. According to the laboratory’s analysis report, this is probably an inadvertently escaped early beta version of the malware, which also shows evidence of a relationship with the Mirai botnet.
Im detailed report the IT security researchers describe the special features of the malware. The malware programmers use the Go programming language from Google, which is why the analysts chose the name BotenaGo for it. They also mention that according to one Blog post von Intezer, the use of the Go language among malware finds in the wild has increased by 2,000 percent in recent years.
The malware sets up a back door on ports 19412 and 31412 and waits there for commands from the botnet operator, but it can also be controlled by other modules. Meanwhile, it remains unknown who is behind the malware and how many devices have actually already been attacked and infected.
the Recognition rate is still poor at the time of the article’s publication – 28 out of 61 scanners on VirusTotal detect the malware. Since the links to the payload were similar to those of the Mirai malware, some scanners recognize the malware as a variant of it. According to AT&T security researchers, however, the programming language, distributed denial of service (DDoS) and attack functions differ from this, so that they assume a new malware family.
Course of the infection
The report then sheds light on the more precise mechanisms of infection. The malware looks for a specific directory in order to attach itself to scripts and terminates itself if the directory does not exist. The malware then searches, if it continues, for vulnerable functions using certain character strings – a kind of signature scan. These character strings can be version reports from servers, on the basis of which BotenaGo can recognize a vulnerable function and use a suitable exploit against it.
Using the example of the signature “Server: Boa / 0.93.15” for a vulnerable service on IoT devices and routers, the security researchers queried the Shodan database and received almost two million results, thus potentially vulnerable devices. The Shodan database still listed 250,000 results for the signature “Basic realm = ” Broadband Router “”. Overall, according to the report, BotenaGo can attack 33 vulnerable services and functions. The malware opens two ports for a back door, 31412 and 19412. For the latter port, the researchers show how a DDoS attack on an IP address and port number can be started.
Active communication with a command & control server (C&C) does not seem to take place. The report speculates about the possible functionality for the botnet operator: BotenaGo is only part of a malware suite and the C&C communication is handled by a different module. Or it is actually a question of a Mirai successor, with the operators targeting known IPs infected with Mirai. The third possibility would be that it was an accidental leak from beta malware.
The IT security experts list the CVE numbers and the devices affected by the security vulnerabilities in their Report on – to reproduce them here would blow the message. The recommendation for action in the report is to install available updates, operate Internet-of-Things devices and Linux servers on the public Internet with as little attack surface as possible, monitor network traffic, watch out for outgoing port scans and unusual bandwidth usage.
Since there are no more updates for various older routers and IoT devices, from a security perspective we can only recommend switching to current devices that still receive manufacturer support and thus security updates.