Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

‘DemonBot’ Botnet Targets Hadoop Servers

A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks. 

A newly discovered botnet is targeting Hadoop clusters in an attempt to leverage their computing power to launch distributed denial of service (DDoS) attacks. 

The operation, Radware security researchers have discovered, targets an unauthenticated remote command execution in Hadoop YARN (Yet Another Resource Negotiator). Proof-of-concept for the flaw was first published in March this year.

Dubbed DemonBot, the malware doesn’t employ worm-like capabilities, meaning that it only infects central servers. At the moment, there are over 70 active exploit servers spreading the threat and targeting systems at an aggregated rate of over 1 million exploits per day, Radware says. 

The malware’s binary, the security researchers discovered, is compatible with most known Internet of Things (IoT) devices, but the bot was not seen targeting IoT until now.

During their investigation, the Radware researchers discovered that the malware author had actually published the source code for the botnet on pastebin at the end of September. The code for the command and control (C&C) server and the Python build script for the multi-platform bots were also discovered. 

The C&C server provides two services, one that allows bots to register and listen for new commands from the server, and a remote access CLI so that admins and potential ‘customers’ can control the botnet. Credentials for remote users are stored in a plain text file. 

Upon execution, the DemonBot malware connects to the C&C server (hardcoded with IP and port) and starts listening to commands. By default, it uses port 6982, while the connection is plain text TCP.

The threat sends to the server information on the infected system, including the public IP address, port number (22 or 23, depending on the availability of Python or Perl and telnetd on the server), information on the availability of a Python or Perl interpreter on the device server, the architecture of the server, and operating system. 

Advertisement. Scroll to continue reading.

The operator can send the bot commands to launch DDoS attacks such as UDP with a random payload, TCP, UDP with a fixed payload, or the sequential execution of STD attack, followed by TCP, followed by UDP. The bot can also be instructed to make a TCP connection to a specified IP and port each second until the attack is over, or to completely stop the attack.

“If multiple IPs are passed in the argument in a comma-separated list, an individual attack process is forked for each IP,” Radware said. 

The attacker can also include a <spoofit> argument in the attack command, which works as a netmask, spoofing the bot’s source IP if the spoofit number is set to less than 32.

Related: New Virobot Ransomware and Botnet Emerges

Related: DDoS-Capable IoT Botnet ‘Chalubo’ Rises

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Don’t miss this Live Attack demonstration to learn how hackers operate and gain the knowledge to strengthen your defenses.

Register

Join us as we share best practices for uncovering risks and determining next steps when vetting external resources, implementing solutions, and procuring post-installation support.

Register

People on the Move

SSH Communications Security has appointed Pauli Haikonen as the company’s Chief Information Security Officer (CISO).

Cloud and container security firm Sysdig has tapped William Welch as CEO on its path to an IPO.

Dave Scher has been promoted to Deputy Chief Information Officer at MITRE.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.