Boutique "Dark" Botnet Hunting for Crumbs
Last Updated: 2021-10-04 14:07:59 UTC
by Johannes Ullrich (Version: 1)
As I have said before, Internet of Things (IoT) devices are best compared to Mosquitos. Individually, they are annoying. But their large number makes them the most deadly animal around . Many botnets like Mirai or Mozi are going after simple exploits affecting large numbers of devices. These mosquito hunters are like birds in the sense that they live from large numbers of vulnerable devices. The botnets themselves are usually mostly an annoyance unless you get hit by a DoS attack (ever parked your car under a tree with nesting birds?).
But aside from these more visible botnets, there are smaller, "Boutique" botnets. They go after less common vulnerabilities and pick systems that the major botnets find not lucrative enough to go after. Usually, only a few vulnerable devices are exposed. Taking the animal analogy a bit too far: These are like crustaceans on the ocean floor living off what the predators above discard.
One such botnet is "Dark Bot." It mostly scans for a few vulnerabilities, and the botnet itself isn't really all that big. For about 10,000 IPs hitting our honeypots, we may see 3 or 4 "Dark Bots." As far as we are concerned, "Dark Bot" is identified by the User-Agent "Dark" (pretty straightforward).
Dark Bot is interesting as it does pick recent vulnerabilities (only one vulnerability below is not from 2021, and I may have misidentified the exact vulnerability here). It likes simple command injection vulnerabilities and uses them to download and execute a script called "lolol.sh". The script will typically follow the playbook of other worms like Mirai and Mozi in downloading the same binary compiled for different architectures to see what sticks.
So what should you do against this type of botnet? Absolutely nothing. None of these devices should ever be exposed to the "outside." Sure, patching is a bit tricky, but without exposure, these vulnerabilities should not be much of an issue as far as this botnet goes. It scans, infects, and moves on. Radware recently published a few details about this botnet as well .
Here are some of the requests we see from this botnet currently:
RealTek SDK (CVE-2021-35395)
POST /goform/formWsc HTTP/1.1
Seagate Blackarmor NAS (CVE-2014-3206)
Accept-Encoding: gzip, deflate
Buffalo WSR-2533DHPL2 firmware Vulnerability (CVE-2021-20090)
This is a simple to exploit command injection vulnerability. Other routers may be affected, as well as they may share the same vulnerable firmware.
RealTek SDK (CVE-2021-35395)
This vulnerability affects various IoT devices using the affected RealTek SDK. Again a simple command injection vulnerability not requiring any authentication.
POST /goform/formSysCmd HTTP/1.1
Geutebrück G-Cam E2 and G-Code (multiple possible 2021 CVEs)
POST //uapi-cgi/certmngr.cgi HTTP/1.1
Johannes B. Ullrich, Ph.D. , Dean of Research, SANS.edu