A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks.
The operation, Radware security researchers have discovered, targets an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator). Proof-of-concept for the flaw was first published in March this year.
Dubbed DemonBot, the malware doesn’t employ worm-like capabilities, meaning that it only infects central servers. At the moment, there are over 70 active exploit servers spreading the threat and targeting systems at an aggregated rate of over 1 million exploits per day, Radware says.
The malware’s binary, the security researchers discovered, is compatible with most known Internet of Things (IoT) devices, but the bot was not seen targeting IoT until now.
During their investigation, the Radware researchers discovered that the malware author had actually published the source code for the botnet on pastebin at the end of September. The code for the command and control (C&C) server and the Python build script for the multi-platform bots were also discovered.
The C&C server provides two services, one that allows bots to register and listen for new commands from the server, and a remote access CLI so that admins and potential ‘customers’ can control the botnet. Credentials for remote users are stored in a plain text file.
Upon execution, the DemonBot malware connects to the C&C server (hardcoded with IP and port) and starts listening to commands. By default, it uses port 6982, while the connection is plain text TCP.
The threat sends to the server information on the infected system, including the public IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server), information on the availability of a Python or Perl interpreter on the device server, the architecture of the server, and operating system.
The operator can send the bot commands to launch DDoS attacks such as UDP with a random payload, TCP, UDP with a fixed payload, or the sequential execution of STD attack, followed by TCP, followed by UDP. The bot can also be instructed to make a TCP connection to a specified IP and port each second until the attack is over, or to completely stop the attack.
“If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP,” Radware said.
The attacker can also include a <spoofit> argument in the attack command, which works as a netmask, spoofing the bot’s source IP if the spoofit number is set to less than 32.
