A new Go-based malware named ‘Zerobot’ has been spotted in mid-November using exploits for almost two dozen vulnerabilities in a variety of devices that include F5 BIG-IP, Zyxel firewalls, Totolink and D-Link routers, and Hikvision cameras.
The purpose of the malware is to add compromised devices to a distributed denial-of-service (DDoS) botnet to launch powerful attacks against specified targets.
Zerobot can scan the network and self-propagate to adjacent devices as well as run commands on Windows (CMD) or Linux (Bash).
Security researchers at Fortinet discovered Zerobot and say that since November a new version has emerged with additional modules and exploits for new flaw, indicating that the malware is under active development.
Exploiting its way in
The malware can target a range of system architectures and devices, including i386, AMD64, ARM, ARM64, MIPS, MIPS64, MIPS64le, MIPSle, PPC64, PPC64le, RISC64, and S390x.
Zerobot incorporates exploits for 21 vulnerabilities and uses them to gain access to the device. Then it downloads a script named “zero,” which allows it to self propagate.
Zerobot uses the following exploits to breach its targets:
CVE-2014-08361: miniigd SOAP service in Realtek SDK
Additionally, the botnet uses four exploits that have not been assigned an identifier. Two of them are targeting GPON terminals and D-Link routers. Details about the other two are unclear at the moment.
Zerobot functions
After establishing its presence on the compromised device, Zerobot sets a WebSocket connection to the command and control (C2) server and sends some basic information about the victim.
The C2 may respond with one of the following commands:
ping – Heartbeat, maintaining the connection
attack – Launch attack for different protocols: TCP, UDP, TLS, HTTP, ICMP
stop – Stop attack
update – Install update and restart Zerobot
enable_scan – Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker
disable_scan – Disable scanning
command – Run OS command, cmd on Windows and bash on Linux
kill – Kill botnet program
The malware also uses an “anti-kill” module designed to prevent terminating or killing its process.
Currently, Zerobot is primarily focused on launching DDoS attacks. However, it could be used as for initial access, too.
Fortinet says that since Zerobot first appeared on November 18 its developer has improved it with string obfuscation, a copy file module, a self-propagation module, and several new exploits.