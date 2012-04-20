from the tricky dept.
Meet dark_nexus, quite possibly the most potent IoT botnet ever:
A newly discovered botnet that preys on home routers, video recorders, and other network-connected devices is one of the most advanced Internet-of-things platforms ever seen, researchers said on Wednesday. Its list of advanced features includes the ability to disguise malicious traffic as benign, maintain persistence, and infect devices that run on at least 12 different CPUs[*].
Researchers from antivirus provider Bitdefender described the so-called dark_nexus as a "new IoT botnet packing new features and capabilities that put to shame most IoT botnets and malware that we've seen." In the three months that Bitdefender has tracked it, dark_nexus has undergone 30 version updates, as its developer has steadily added more features and capabilities.
The malware has infected at least 1,372 devices, which include video recorders, thermal cameras, and home and small office routers made by Dasan, Zhone, Dlink, and ASUS. Researchers expect more device models to be affected as dark_nexus development continues.
[...] The botnet has propagated both by guessing common administrator passwords and exploiting security vulnerabilities. Another feature that increases the number of infected devices is its ability to target systems that run on a wide range of CPUs[*]
[...] Bitdefender's report said that while the dark_nexus propagation modules contain code targeting ARC and Motorola RCE architectures, researchers have so far been unable to find malware samples compiled for these architectures.
[*] The executables are all statically linked and stripped. Except for x86 which has a 64-bit executable, all others are 32-bit. The targeted architectures are: arm5, arm6, arm7, mpsl, mips, i586, x86, spc, m68k, ppc, arc, sh4, rce. The researchers have examined samples of all of these except for arc and rce.
(Score: 0) by Anonymous Coward on Sunday April 12, @04:23PM (1 child)
Find the C&C and nuke it!
(Score: 0) by Anonymous Coward on Sunday April 12, @05:06PM
Too late, C&C* folded in 1993,
https://www.jstor.org/stable/41178982?seq=1 [jstor.org]
* Christianity and Crisis magazine, "one of the foremost liberal Protestant journals of opinion..."
(Score: 0) by Anonymous Coward on Sunday April 12, @04:55PM
YARA [github.io] "is a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples. With YARA you can create descriptions of malware families (or whatever you want to describe) based on textual or binary patterns. Each description, a.k.a rule, consists of a set of strings and a boolean expression which determine its logic."