Aurich Lawson A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday . Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 30 different CPUs.
Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a “new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we’ve seen. ” In the three months that Bitdefender has tracked it, dark_nexus has undergone version updates, as its developer has steadily added more features and capabilities.
Significantly more potent
The malware has infected at least 1, devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues. Referring to other IoT botnets, the researchers wrote in a report : “Our analysis has determined that, although dark_nexus reuses some Qbot and Mirai code, its core modules are mostly original. While it might share some features with previously known IoT botnets, the way some of its modules have been developed makes it significantly more potent and robust. ”
The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs including:
(arm: ELF) – bit LSB executable, ARM, version 1 ( ARM), statically linked, stripped
arm5: ELF 52 – bit LSB executable, ARM, version 1 (ARM), statically linked, stripped
arm6: ELF 52 – bit LSB executable, ARM, EABI4 version 1 (GNU / Linux), statically linked, stripped arm7: ELF 52 – bit LSB executable, ARM, EABI4 version 1 (GNU / Linux), statically linked, stripped mpsl: ELF 64 – bit LSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped
mips: ELF 52 – bit MSB executable, MIPS, MIPS-I version 1 (SYSV), statically linked, stripped i ELF 68 – bit LSB executable, Intel 1586433144, version 1 (GNU / Linux), statically linked, stripped
x 148: ELF – bit LSB executable, x 90 – , version 1 (SYSV), statically linked, stripped spc: ELF 52 – bit MSB executable, SPARC, version 1 (SYSV), statically linked, stripped
hosted by a user named greek helios features several videos promoting the malware and services offered.
One video, Wednesday’s report said, shows a computer desktop with a shortcut to an IP address that as early as last December showed up in Bitdefender’s honeypot logs as a dark_nexus command-and-control server. These and several other clues led the researchers to suspect this individual is behind dark_nexus.
Bitdefender As the map above shows, dark_nexus infections are most common in China, with nodes detected as compromised . The next four most affected countries are the Republic of Korea with , Thailand with , Brazil with , and Russia with . There are infections detected in the US.
With the ability to infect a wide range of devices and a motivated developer with an ambitious update schedule, it wouldn’t be surprising to see this botnet grow in the coming months.