Initially detected in March, the botnet has included weaknesses for processor architectures and its easy availability on GitHub is adding to the threat
EnemyBot, a botnet made up of code from various malware, is rapidly expanding its reach to include enterprise grade flaws by adding exploits for recently discovered serious flaws in content management systems, web servers, IoT, and Android devices.
Detected by researchers at Securoix, a company working on next-gen Security Information and Event Management, in March, the latest analysis released by Fortinet indicates that the malware had already added weaknesses from over a dozen processor architectures. The primary goal of EnemyBot is to perform distributed denial-of-service (DDoS) attacks that include modules that scan for and infect new target devices.
What is worse is that the EnemyBot core source code is available on GitHub, which means any miscreant can get to the malware easily and start crafting customized outbreaks into nasty bits of malware.
Meanwhile, an analysis published by AT&T Alien Labs claims the latest EnemyBot version has exploits for 24 flaws, most of which are critical and a few do not even have a CVE number which makes it tougher to create defenses. Most of these weaknesses were connected to routers and some IoT devices.
Who’s behind this malware?
A group of rogue developers who go under the name Keksec are reportedly the architects of EnemyBot. This group has launched several Linux and Windows-based bots since 2016 that are capable of launching DDoS attacks and possibly also mining cryptocurrency.
Securonix wrote about EnemyBot in March while Fortinet researchers claimed new strains were found that abused known bugs in routers from vendors such as NetGear, D-Link and Zyxel. The latest threat analysis from AT&T claims that newer exploits on the botnet could abuse more than a dozen vulnerabilities in VMWare WorkSpace One Access, WordPress and Android devices.
In fact, Ofer Caspi, a security researcher at Alien Labs had claimed in a blogpost that the Keksec group was well-resourced with the ability to upgrade and add new capabilities to its arsenal of malware on a daily basis.
“Most of EnemyBot functionality relates to the malware’s spreading capabilities, as well as its ability to scan public-facing assets and look for vulnerable devices. However, the malware also has DDoS capabilities and can receive commands to download and execute new code (modules) from its operators that give the malware more functionality,” the researcher said.
On its part Alien Labs has recommended that enterprises reduce exposure of their Linux servers and IoT devices to the internet and use adequately configured firewalls, besides enabling automatic updates and closely monitoring network traffic.