Previously, the botnet included about 3,000 infected systems, but even then the researchers discovered several strange and interesting features that were unique to IPStorm.

For example, the full name of the malware – InterPlanetary Storm – comes from the InterPlanetary File System (IPFS), a P2P protocol that malware used to communicate with infected systems and transmit commands.

“In addition, IPStorm was written in the Go language, and although no one is surprised with malware in this language, in 2019 this was not so widespread, which made IPStorm a rather exotic and interesting piece of malware”, — told Anomali researchers.

Interestingly, Anomali’s 2019 report did not explain how the malware spreads. At that time, some researchers hoped that IPStorm would turn out to be someone’s experiment with IPFS and would not receive full development.

Unfortunately, these hopes could not come true.

In recent reports published by experts Bitdefender and Barracuda, it is said have been discovered the new versions of IPStorm that can infect devices running Android, macOS and Linux. Experts also figured out how the botnet was spreading, refuting the theory that it was just someone’s experiment. Even worse, the number of infected machines has already increased to 13,500 hosts.

“The botnet attacks and infects Android devices by scanning the Internet for devices with an open ADB (Android Debug Bridge) port. In turn, devices running Linux and macOS are compromised through dictionary attacks on SSH, that is, attackers simply brute force a username and password”, – inform the researchers.

After IPStorm infiltrates devices, the malware checks for honeypot software, attaches itself to the system, and then eliminates a number of processes that could pose a threat to its operation.

Although the botnet has been active for over a year, researchers still have not figured out what is the ultimate goal of IPStorm operators. The fact is that IPStorm installs a reverse shell on all infected devices, but then leaves the systems alone.

In theory, this backdoor can be used in many ways, but so far IPStorm operators do not use it at all, although they could install miners on infected devices, use them as proxies, organize DDoS attacks, or simply sell access to infected systems.

I love botnets and I am happy to talk about them, for example about the Prometheus botnet or the Dracula propaganda botnet, but the coolest is still the Cereals botnet, which for eight years is existed for only one purpose: it downloaded anime.

The post IPStorm botnet now attacks Android, macOS and Linux devices appeared first on Gridinsoft Blog.

All this time, Cereals exploited only one vulnerability and attacked D-Link’s NAS and NVR, combining them into a botnet.

For many years, the botnet has eluded the attention of information security professionals, and now it has almost ceased to exist.

“The fact is that the vulnerable D-Link devices on which Cereals parasitized began to become obsolete and out of order, that is, they are becoming smaller and smaller. In addition, the ransomware Cr1ptT0r accelerated the decay of the botnet, which destroyed the competing malware on infected devices and removed the Cereals malware from many D-Link devices in the winter of 2019”, — say Forcepoint researchers.

Now, as the botnet and the vulnerable devices that it has exploited are disappearing, Forcepoint experts decided to publish a report on the activities of the malware, because they can no longer be afraid that the study will draw the attention of other criminals to vulnerable devices and provoke the emergence of new botnets.

Experts write that Cereals can be called a unique phenomenon, since the botnet used only one vulnerability throughout all eight years of its “life”.

This vulnerability was related to the SMS notification feature that was present in the D-Link NAS and NVR firmware. The bug allowed the creator of Cereals to send malicious HTTP requests to the embedded servers of vulnerable devices and execute commands with root privileges. In this way, the botnet operator infected the devices with its malware.

“The botnet was very advanced in its functionality. Therefore, if the attack succeeded, Cereals supported up to four active backdoors on the devices, tried to patch the attacked devices so that other attackers could not attack them, and distributed bots on 12 small subnets”, – say the researchers.

However, all these efforts, in fact, were a waste of time. Forcepoint analysts believe that Cereals was someone else’s hobby or a project created as a joke (it is assumed that the author of the malware is called Stefan and he lives in Germany).

The fact is that the botnet did not engage in DDoS attacks, did not try to attack any other devices other than the above, did not try to access user data stored on infected devices. Instead, all these years Cereals just methodically downloaded anime.

However, this is the cutest botnet I talked about on this blog – others are mostly not like that, for example, read an article about Hoaxcalls botnet, that attacks Grandstream devices.

The post For eight years, the Cereals botnet existed for only one purpose: it downloaded anime appeared first on Gridinsoft Blog.