Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

‘DemonBot’ Botnet Targets Hadoop Servers

A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks. 

A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks. 

The operation, Radware security researchers have discovered, targets an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator). Proof-of-concept for the flaw was first published in March this year.

Dubbed DemonBot, the malware doesn’t employ worm-like capabilities, meaning that it only infects central servers. At the moment, there are over 70 active exploit servers spreading the threat and targeting systems at an aggregated rate of over 1 million exploits per day, Radware says. 

The malware’s binary, the security researchers discovered, is compatible with most known Internet of Things (IoT) devices, but the bot was not seen targeting IoT until now.

During their investigation, the Radware researchers discovered that the malware author had actually published the source code for the botnet on pastebin at the end of September. The code for the command and control (C&C) server and the Python build script for the multi-platform bots were also discovered. 

The C&C server provides two services, one that allows bots to register and listen for new commands from the server, and a remote access CLI so that admins and potential ‘customers’ can control the botnet. Credentials for remote users are stored in a plain text file. 

Upon execution, the DemonBot malware connects to the C&C server (hardcoded with IP and port) and starts listening to commands. By default, it uses port 6982, while the connection is plain text TCP.

The threat sends to the server information on the infected system, including the public IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server), information on the availability of a Python or Perl interpreter on the device server, the architecture of the server, and operating system. 

The operator can send the bot commands to launch DDoS attacks such as UDP with a random payload, TCP, UDP with a fixed payload, or the sequential execution of STD attack, followed by TCP, followed by UDP. The bot can also be instructed to make a TCP connection to a specified IP and port each second until the attack is over, or to completely stop the attack.

“If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP,” Radware said. 

The attacker can also include a <spoofit> argument in the attack command, which works as a netmask, spoofing the bot’s source IP if the spoofit number is set to less than 32.

Related: New Virobot Ransomware and Botnet Emerges

Related: DDoS-Capable IoT Botnet ‘Chalubo’ Rises

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...