Vulnerable Linux Webmin servers are under active attack by a newly-discovered peer-to-peer (P2P) botnet, dubbed Roboto by researchers.
The botnet is targeting a remote code-execution vulnerability (CVE-2019-15107) in Webmin, a web-based system configuration tool for Linux servers. CVE-2019-15107 was previously patched on Aug. 17 and can be mitigated by updating to Webmin 1.930, said researchers with NetLab 360.
“We recommend that Webmin users take a look whether they are infected by checking the process, file name and UDP [User Datagram Protocol] network connection,” said NetLab 360 researchers in a Wednesday analysis. “We recommend that Roboto botnet-related IP, URL and domain names to be monitored and blocked.”
Researchers first came across Roboto on Aug. 26, and have been tracking it for the past three months. It is unknown how many Linux Webmin servers are being targeted; Threatpost has reached out to NetLab 360 for further information. However, the attack surface could potentially be massive: Webmin says that it has over a million installations worldwide and according to Shodan, 232,000 servers are currently vulnerable.
Mr. Roboto
The Roboto botnet mainly supports seven functions: reverse shell (allowing attackers to execute commands on infected bots) and self-uninstall capabilities; as well as the ability to gather process network information, gather bot information, execute system commands, run encrypted files specified in URLs and launch distributed denial-of-service (DDoS) attacks.
However, Roboto’s main goals remain unknown at this point, researchers said: “Roboto botnet has DDoS functionality, but it seems DDoS is not its main goal. We have yet to capture a single DDoS attack command since it showed up on our radar. We are still yet to learn its true purpose.”
After Roboto targeted their honeypot, researchers were able to further analyze the botnet’s associated downloader and bot modules, as well as vulnerability-scanning modules and its P2P control module. Post-infection, the botnet collects further information (including a list of processes running, and network information) about the infected bot.
Rare P2P Botnet
As a peer-to-peer (P2) botnet, Roboto operates without a command-and-control (C2) server. P2P botnets – including Hajime and Joanap – make it trickier for researchers or authorities to target them as there’s no centralized domains or servers to track.
P2P botnets instead create a decentralized networks of infected devices, or “bots,” which talk to one another rather than a central server, typically employing custom protocols for communication that must be decrypted before they can be analyzed.
Upon further investigation, researchers found that Roboto uses such a P2P communication protocol between various infected bots. “The length of the request packet is a fixed 69 bytes, the data is not encrypted, and the content is the public key of the target peer and the public key of the bot,” researchers said. “After receiving the bot request packet, peer establishes a connection with the bot if it is consistent with its own public key, and then calculates the SharedKey through the public key.”
Roboto also uses algorithms like Curve25519, Ed25519, TEA, SHA256 and HMAC-SHA256 for communication. These algorithms allow Roboto to “ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control,” researchers said.
It’s not the first time that Linux servers have been targeted by botnets. Muhstik, for instance, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.
Is MFA enough to protect modern enterprises in the peak era of data breaches? How can you truly secure consumer accounts? Prevent account takeover? Find out: Catch our free, on-demand Threatpost webinar, “Trends in Fortune 1000 Breach Exposure” to hear advice from breach expert Chip Witt of SpyCloud. Click here to register.