Endpoint Security , Internet of Things Security

Novel Botnet Dubbed 'Zerobot' Targets Slew of IoT Devices

Zerobot Operators Quickly Updated Malware With Propagation Exploit, Says Fortinet
Novel Botnet Dubbed 'Zerobot' Targets Slew of IoT Devices
Image: Getty Images

A novel botnet is taking advantage of vulnerabilities in a slew of networking equipment and networked cameras with an emphasis on equipment manufactured in East Asia.

See Also: Securing Enterprise IoT: Advanced Threats and Strategies to Respond

Among the targeted devices are three types of Totolink-brand routers made by Hong Kong-based Zioncom and a variety of cameras made by China-based Hikvision. The botnet, dubbed Zerobot by cybersecurity firm Fortinet, also uses a vulnerability identified in thermal sensor cameras made by U.S.-based Teledyne FLIR.

Zerobot also exploits software vulnerabilities including Spring4Shell, a flaw in the widely used open-source Java application Spring Framework platform, boosting the botnet's chances of success. Spring's parent, VMWare, issued a patch in March.

In all, the botnet exploits 21 separate vulnerabilities. Its operators appear to have purchased two of them from 0day.today - a website purportedly for educational purposes that sells exploits for cryptocurrency.

Once Zerobot infects a device, it downloads a script for further propagation, Fortinet writes. The company first observed the botnet on Nov. 18, when it contained only basic functions. Botnet operators updated the malware on Nov. 24 to include the self-propagation module.

"Within a very short time, it was updated with string obfuscation, a copy file module, and a propagation exploit module that make it harder to detect and give it a higher capability to infect more devices," wrote Cara Lin, a Fortinet researcher.

Researchers chose the name Zerobot based on how the botnet saves itself on infected devices using the filename zero.

How It Works

After infection, Zerobot copies itself on Windows devices to the Startup folder with the filename FireWall.exe. Linux has three file paths: %HOME%, /etc/init/ and /lib/systemd/system/.

After initialization, Zerobot uses the WebSocket IP protocol to reach its command-and-control server. The commands include:

  • ping: Heartbeat, maintaining the connection;
  • attack: Launch attack for different protocols: TCP, UDP, TLS, HTTP and ICMP;
  • stop: Stop attack;
  • update: Install update and restart Zerobot;
  • enable_scan: Scan for open ports and start spreading itself via exploit or SSH/Telnet cracker;
  • disable_scan: Disable scanning;
  • command: Running OS command cmd on Windows and bash on Linux;
  • kill: Kill botnet program.

To prevent users from disrupting the Zerobot program, it sets up an AntiKill module that intercepts any signal sent to terminate the process.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.