www.darkreading.com
Open in
urlscan Pro
2606:4700::6811:7963
Public Scan
URL:
https://www.darkreading.com/vulnerabilities-threats/source-code-for-malware-targeting-millions-of-routers-iot-devices-upload...
Submission: On February 04 via api from US — Scanned from DE
Submission: On February 04 via api from US — Scanned from DE
Form analysis 0 forms found in the DOM
Text Content
The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Technology - March 24 Dark Reading Virtual Event * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More Webinars * Strategies For Securing Your Supply Chain Mar 02, 2022 * Best Practices for Extending Identity & Access Management to the Cloud Feb 15, 2022 Resources Close Back Resources Reports > Slideshows > Tech Library > Webinars > White Papers > Partner Perspectives: Crowdstrike > Partner Perspectives: Darktrace > Subscribe Login / Register The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Technology - March 24 Dark Reading Virtual Event * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More Webinars * Strategies For Securing Your Supply Chain Mar 02, 2022 * Best Practices for Extending Identity & Access Management to the Cloud Feb 15, 2022 Resources Close Back Resources Reports > Slideshows > Tech Library > Webinars > White Papers > Partner Perspectives: Crowdstrike > Partner Perspectives: Darktrace > The Edge DR Tech Sections Close Back Sections Featured Sections The Edge Dark Reading Technology Attacks / Breaches Cloud IoT Physical Security Perimeter Analytics Security Monitoring Security Monitoring App Sec Database Security Database Security Risk Compliance Compliance Threat Intelligence Endpoint AuthenticationMobile SecurityPrivacy AuthenticationMobile SecurityPrivacy Vulnerabilities / Threats Advanced ThreatsInsider ThreatsVulnerability Management Advanced ThreatsInsider ThreatsVulnerability Management Operations Identity & Access ManagementCareers & People Identity & Access ManagementCareers & People Black Hat news Omdia Research Security Now Events Close Back Events Events * Cybersecurity Technology - March 24 Dark Reading Virtual Event * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More Webinars * Strategies For Securing Your Supply Chain Mar 02, 2022 * Best Practices for Extending Identity & Access Management to the Cloud Feb 15, 2022 Resources Close Back Resources Reports > Slideshows > Tech Library > Webinars > White Papers > Partner Perspectives: Crowdstrike > Partner Perspectives: Darktrace > -------------------------------------------------------------------------------- Subscribe Login / Register SEARCH A minimum of 3 characters are required to be typed in the search bar in order to perform a search. Announcements 1. 2. 3. 4. Event Developing an Effective Threat Intelligence Program for Your Enterprise | February 10 Webinar | <REGISTER NOW> Event Best Practices for Extending Identity & Access Management to the Cloud | February 15 Webinar | <REGISTER NOW> Event 2021 DDoS Attack Trends: Year in Review | February 9 Webinar | <REGISTER NOW> Event Cybersecurity Technology: Where It's Going & How To Get There | March 24 Virtual Event | <REGISTER NOW> PreviousNext Vulnerabilities/Threats News MILLIONS OF ROUTERS, IOT DEVICES AT RISK AS MALWARE SOURCE CODE SURFACES ON GITHUB "BotenaGo" contains exploits for more than 30 vulnerabilities in multiple vendor products and is being used to spread Mirai botnet malware, security vendor says. Jai Vijayan Contributing Writer January 26, 2022 Source: Maximumm via Shutterstock PDF The authors of a dangerous malware sample targeting millions of routers and Internet of Things (IoT) devices have uploaded its source code to GitHub, meaning other criminals can now quickly spin up new variants of the tool or use it as is, in their own attack campaigns. Researchers at AT&T Alien Labs first spotted the malware last November and named it "BotenaGo." The malware is written in Go — a programming language that has become quite popular among malware authors. It comes packed with exploits for more than 30 different vulnerabilities in products from multiple vendors, including Linksys, D-Link, Netgear, and ZTE. BotenaGo is designed to execute remote shell commands on systems where it has successfully exploited a vulnerability. An analysis that Alien Labs conducted last year when it first spotted the malware showed BotenaGo using two different methods to receive commands for targeting victims. One of them involved two backdoor ports for listening to and receiving the IP addresses of target devices, and the other involved setting a listener to system I/O user input and receiving target information through it. Researchers at Alien Labs discovered that while the malware is designed to receive commands from a remote server, it does not have any active command-and-control communication. This led the security vendor to surmise at the time that BotenaGo was part of a broader malware suite and likely one of multiple tools in an infection chain. The security vendor also found that BotenaGo's payload links were similar to the ones used by the operators of the infamous Mirai botnet malware. This led Alien Labs to theorize that BotenaGo was a new tool that the operators of Mirai are using to target specific machines that are known to them. IoT Devices and Routers Hit For reasons that are unclear, the unknown author of the malware recently made BotenaGo's source code publicly available through GitHub. The move could potentially result in a significant increase in BotenaGo variants as other malware authors use and adapt the source code for their specific purposes and attack campaigns, Alien Labs said in a blog this week. The company said it has observed new samples of BotenaGo surface and in use to spread Mirai botnet malware on IoT devices and routers. One of BotenaGo's payload servers is also in the list of indicators of compromise for the recently discovered Log4j vulnerabilities. The BotenaGo malware consists of just 2,891 lines of code, making it a potentially good starting point for several new variants. The fact that it comes packed with exploits for more than 30 vulnerabilities in multiple routers and IoT devices is another factor that malware authors are likely to consider appealing. The many vulnerabilities that BotenaGo can exploit include CVE-2015-2051 in certain D-Link wireless routers, CVE-2016-1555 impacting Netgear products, CVE-2013-3307 on Linksys devices, and CVE-2014-2321 that impacts certain ZTE cable modem models. "Alien Labs expects to see new campaigns based on BotenaGo variants targeting routers and IoT devices globally," said Alien Labs malware researcher Ofer Caspi, in the previously mentioned blog post. "As of the publishing of this article, antivirus (AV) vendor detection for BotenaGo and its variants remains behind with very low detection coverage from most of AV vendors." According to Alien Labs, just three out of 60 AV on VirusTotal are currently capable of detecting the malware. The company compared the move to the one Mirai's authors made back in 2016, when they uploaded the source code for the malware to a hacking community forum. The code release resulted in the development of numerous Mirai variants, such as Satori, Moobot, and Masuta, that have accounted for millions of IoT device infections. The Mirai code release resulted in variants with unique functionality, new capabilities, and new exploits. IoTAttacks/BreachesThreat IntelligenceAdvanced Threats Keep up with the latest cybersecurity threats, newly-discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. Subscribe Recommended Reading: Solving the Leadership Buy-In Impasse With Data Richard Amburgey 1 April 2021 darkreading.com Solving the Leadership Buy-In Impasse With Data Justify your requirements with real numbers to get support for security investments. Kansas Man Indicted for Hacking, Tampering With Water Utility System Dark Reading Staff 1 April 2021 darkreading.com Kansas Man Indicted for Hacking, Tampering With Water Utility System Attacker disabled water-purification operation syst… Security Trends to Follow at RSA Conference 2021 Yonit Wiseman 14 May 2021 darkreading.com Security Trends to Follow at RSA Conference 2021 Here are three key categories of sessions that provide an inside look a… What You Need to Know -- or Remember -- About Web Shells Joan Goodchild 30 March 2021 darkreading.com What You Need to Know -- or Remember -- About Web Shells What's old is new again as Web shell malware becomes the latest… Devo Technology Announces Devo Content Stream Dark Reading 17 May 2021 darkreading.com Devo Technology Announces Devo Content Stream CAMBRIDGE, Mass.—May 13, 2021—Devo Technology, the cloud-native logging an… Data Bias in Machine Learning: Implications for Social Justice Christelle Kamaliza & Suzannah Hicks 26 March 2021 darkreading.com Data Bias in Machine Learning: Implications for Social Justice Take historically biased data, then add AI and ML to comp… More Insights White Papers * A Modern Approach to Application Security * Operationalizing the Modern AppSec Framework More White Papers Webinars * Strategies For Securing Your Supply Chain * Best Practices for Extending Identity & Access Management to the Cloud More Webinars Reports * How Enterprises Are Assessing Cybersecurity Risk in Today's Environment * How Data Breaches Affect the Enterprise More Reports Editors' Choice REvil Ransomware Gang Arrests Trigger Uncertainty, Concern in Cybercrime Forums Jai Vijayan, Contributing Writer Researchers Discover Dangerous Firmware-Level Rootkit Jai Vijayan, Contributing Writer Researchers Explore Hacking VirusTotal to Find Stolen Credentials Kelly Sheridan, Senior Editor The Cybersecurity Measures CTOs Are Actually Implementing Dark Reading Staff, Dark Reading Webinars * Strategies For Securing Your Supply Chain * Best Practices for Extending Identity & Access Management to the Cloud * Streamlining Your Patch Management Processes * Monitoring and Securing Remote and Work-From-Home Environments * The Tech Exec’s Ransomware Incident Response Playbook More Webinars White Papers * A Modern Approach to Application Security * Operationalizing the Modern AppSec Framework * Endpoint Security Buyers Guide * Hindsight Cybersecurity: Seven Key Lessons Learned by Breach Victims * The Top 10 PKI Metrics You Need to Track More White Papers Events * Cybersecurity Technology - March 24 Dark Reading Virtual Event * Black Hat Spring Trainings 2022 - February 28 - March 3 - Learn More * SupportWorld Live: May 15-20, 2022, MGM Grand, Las Vegas, NV More Events More Insights White Papers * A Modern Approach to Application Security * Operationalizing the Modern AppSec Framework More White Papers Webinars * Strategies For Securing Your Supply Chain * Best Practices for Extending Identity & Access Management to the Cloud More Webinars Reports * How Enterprises Are Assessing Cybersecurity Risk in Today's Environment * How Data Breaches Affect the Enterprise More Reports DISCOVER MORE FROM INFORMA TECH * Interop * InformationWeek * Network Computing * ITPro Today * Data Center Knowledge * Black Hat * Omdia WORKING WITH US * About Us * Advertise * Reprints FOLLOW DARK READING ON SOCIAL * * * * * Home * Cookies * Privacy * Terms Copyright © 2022 Informa PLC Informa UK Limited is a company registered in England and Wales with company number 1072954 whose registered office is 5 Howick Place, London, SW1P 1WG. This site uses cookies to provide you with the best user experience possible. By using Dark Reading, you accept our use of cookies. Accept