Set up as a network of devices ready to respond to any DDoS operations its masters might need to launch, the spread of the infection started with the notorious “Spike” malware variant, which has since morphed into what Incapsula refers to as “MrBlack”.
MrBlack is a tool which works by first infecting the device of a user who has left their router security credentials as the default option for remote administration. We spoke about this issue briefly in the last edition of Decrypt This, wherein consumers will keep the username/password combo to get into their home router as “admin” and “password”, respectively. The botnet seeks out any routers tagged with these credentials, and after automatically accessing the hub, will infect the network and lie in wait for its next command.
“After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks,” said the report’s author.
For now, the hardest hit by the attack are routers made by the little-known company Ubiquiti. The company is primarily concerned with providing bulk network hub solutions that ISPs can lease out to customers on a month-to-month basis, and its involvement just goes to show that as the router industry moves more toward homogeneity and away from specific innovations, the threat to our information and identities becomes greater than ever before.
Incapsula’s investigation into the source of the problem uncovered that about 85% of the devices affected by the problem reside in either Thailand or Brazil, while 21% of the command-and-control servers are located in the United States. Though there’s no hard evidence to make a connection just yet, Incapsula says there has been an increased amount of chatter in a known Anonymous hangout about the botnet, as well as rumblings on Lizard Squad’s Twitter page about a revival of their older Stresser tool.
Coming soon :) — hydra:~$ BOTS Loaded: 54031
— Lizard Squad (@LizardLands) April 16, 2015
“Based on the profile of targets and the attack patterns, we know these compromised routers are being exploited by several groups or individuals. For instance, our analysis also shows that several of these malware variants are reporting to AnonOps IRC channel, indicating that Anonymous [could be] one of the groups responsible for exploiting these under-protected devices,” read the report.
These frayed links have leads researchers to believe that even if the two groups aren’t directly involved, they’re still interested in emulating the techniques used by its true perpetrator.
We’ll be keeping a close eye on this botnet as more details about its proliferation surface, so stay tuned to Digital Trends for all the latest updates.
