14,000 Routers Are Infected by Malware That's Highly Resistant to Takedowns

by
hubie
from SoylentNews on (#747YA)

Arthur T Knackerbracket writes:

Most of the devices are made by Asus and are located in the US:

Researchers say they have uncovered a takedown-resistant botnet of 14,000 routers and other network devices-primarily made by Asus-that have been conscripted into a proxy network that anonymously carries traffic used for cybercrime.

The malware-dubbed KadNap-takes hold by exploiting vulnerabilities that have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen's Black Lotus Labs, told Ars. The high concentration of Asus routers is likely due to botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it's unlikely that the attackers are using any zero-days in the operation.

The number of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly located in the US, with smaller populations in Taiwan, Hong Kong, and Russia. One of the most salient features of KadNap is a sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to conceal the IP addresses of command-and-control servers. The design makes the botnet resistant to detection and takedowns through traditional methods.

"The KadNap botnet stands out among others that support anonymous proxies in its use of a peer-to-peer network for decentralized control," Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. "Their intention is clear: avoid detection and make it difficult for defenders to protect against."

[...] Kademlia uses a 160-bit space to designate (1) keys-which are unique bitstrings derived by hashing a chunk of data-and (2) node IDs, both of which are assigned to each node. Nodes then store the keys of other nodes. The stored keys are organized by their similarity to the ID of the node storing them. Proximity is measured by XOR distance, a mathematical means of mapping a network. When a node polls another node, it uses this metric to locate other nodes with the closest distance to the key it's looking for until it finally finds a match. KadNap, a variant of Kademlia, obtains the key to be searched through a BitTorrent node.

Read more of this story at SoylentNews.

External Content
Source RSS or Atom Feed
Feed Location https://soylentnews.org/index.rss
Feed Title SoylentNews
Feed Link https://soylentnews.org/
Feed Copyright Copyright 2014, SoylentNews
Reply 0 comments