Dark Nexus: evolving IoT botnet targets variety of devices
Security researchers are tracking a new botnet that has been in rapid development for the past several months and targets embedded devices with binaries that are cross-compiled for 12-CPU architectures.
According to a new report from security vendor Bitdefender, the Dark Nexus botnet borrows ideas and features from previously successful IoT threats like Qbot and Mirai, but is largely an original creation by an established malware developer who advertises distributed denial-of-service (DDoS) services on YouTube and other social media websites.
The bot client is cross-compiled for 12-CPU architectures, which means it can infect a wide variety of devices including routers, digital video recorders (DVRs) and surveillance cameras. Recent versions also deploy a SOCKSv5 proxy on the compromised systems, allowing hackers to tunnel malicious traffic through them in addition to abusing them in DDoS attacks.
Bitdefender started tracking the Dark Nexus bot in December when it was already at version 4. Over the next three months, the researchers observed over 30 iterations — the latest version is 8.6 — during which the developer made improvements and added features, including customisable DDoS attack techniques, improved scanning and infection routines and a persistence mechanism.
While the botnet is currently small, consisting of around 1,400 devices spread around the world, the rapid pace of development and the experience of its creator, who researchers believe is also responsible for an older Qbot-based botnet called hoho, could make this a serious threat in the future.
“Not only that it is still maintained, but it is actively spreading to new devices,” Bogdan Botezatu, director of threat research and reporting at Bitdefender, tells CSO. “With an estimate of more than 20 billion IoT devices in use, IoT botnets have serious room to grow, and, if our assumptions on the botnet’s ownership are correct, we expect that Dark Nexus will become a significant botnet in the DDoS-for-hire space in the near future.”
Propagation through brute force
The latest version of the bot spreads by brute-forcing Telnet connections with default credentials. However, earlier versions also used exploits for known vulnerabilities: a remote code execution (RCE) flaw in Netgear DGN1000, an RCE issue in the JAWS web server that is used on DVRs and other devices, and a command injection in the Linear eMerge E3-Series door access control devices (CVE-2019-7256). It is not clear why the use of these exploits stopped in newer versions, but it shows the developer can target any future flaws that might be discovered with ease.
The Telnet brute-force attacks are handled by two modules, one performing synchronous scans and another performing asynchronous scans of IP addresses delivered by the command-and-control server. The synchronous module behaves like a worm because it also delivers the payload to the victim device after successful authentication. The async module just reports the valid credentials and the victim’s IP address back to the server for later infection.
The list of default credentials tested by the bot has grown over time and received a big update in the latest 8.6 version. The list includes passwords that contain words like ipcam, zhone (a router manufacturer), telecom, samsung and dreambox (satellite set-top-box), reflecting the variety of the targeted devices.
Once it infects a device, the bot attempts to disguise itself as /bin/busybox. Busybox is a userspace software package that is popular on embedded systems and provides lightweight versions of the most common UNIX command-line utilities. Its presence on such a system would not be unusual.
The malware disables the kernel watchdog, so the system does not automatically reboot when encountering an error. It then builds a whitelist of existing processes by analysing their different attributes and characteristics and assign a suspicion score to them. Processes that get a suspicion score of over 100 are killed. In essence, the author created their own malware detection engine to ensure Dark Nexus is the only bot with control over the infected devices.
During its evolution, the bot used several persistence mechanisms. Earlier versions simply prevented the device from rebooting by stopping the cron service which handles scheduled tasks on Linux systems and by changing the permissions of the various utilities that could be used to reboot the device.
Newer version copy commands to the /etc/init.d/rcS file, which is used during initialisation, or to the /home/start.sh file, if this file exists. It also clears the iptables rules to ensure that its communication with the command-and-control server and any attacks that it launches are not blocked by the internal firewall.
Achieving persistence on some embedded devices, especially routers, is difficult because modifications made during their runtime are only stored in RAM and their file systems are reset at reboot. That is why Dark Nexus attempts to delay device reboots for as long as possible and uses some persistence techniques that the author probably knows work on at least some devices, but not all.
In earlier versions, the bot included a reverse proxy module that was used to serve binaries compiled for different architectures to newly infected devices. These binaries were hosted locally on the victim devices and were being kept up to date, which was probably not very efficient, so this module disappeared in later versions. However, the author added a new SOCKS5 proxy module which can be used to route traffic through the devices.
“Dark Nexus is not the first botnet to have such a feature. TheMoon, Gwmndy, Omg botnets and a certain Mirai variant have featured socks5 proxies before,” the Bitdefender researchers said in their report. “A possible motivation would be selling access to these proxies on underground forums. However, we have not found evidence of this yet.”
The DDoS module can use several attack techniques, including one called browser_http_req that the researchers call “highly complex and configurable.” This technique disguises malicious HTTP requests to make them appear as if originating from real browsers. The attacker can configure various values in the HTTP headers, likely to bypass any filtering rules that defenders might put in place based on traffic patterns.
The best defense against IoT malware is to change the default administrative credentials supplied with the devices and to make sure their firmware is always up to date. Most devices should not be exposed directly to the internet. This cannot be avoided with routers, but their admin interface can be restricted to the LAN. IP cameras and DVRs, for example, do not need to be connected directly to the internet and can be monitored securely through VPNs.
“Companies should audit internal networks to identify connected IoT devices and run a vulnerability assessment to discover unpatched or misconfigured ones before the bad guys do,” Botezatu said.
IDG News Service