Researchers say they have discovered a hack-resistant botnet of 14,000 routers and other network devices, mostly made by Asus, involved in a proxy network that anonymously carries traffic used for cybercrime.
Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars that the malware, called KadNap, is being taken advantage of by exploiting vulnerabilities that its owners have patched. The high concentration of Asus routers is likely due to botnet operators obtaining reliable exploits for vulnerabilities affecting those models. According to him, it is unlikely that the attackers will use any zero days in the operation.
A botnet that stands out from the crowd
The number of infected routers averages about 14,000 per day, up from 10,000 when Black Lotus discovered the botnet last August. Dangerous installations are located in the United States, with smaller populations in Taiwan, Hong Kong and Russia. One of the most prominent features of KadNap is its sophisticated peer-to-peer design. Kademliaa network structure that uses distributed hash tables to hide the IP addresses of command and control servers. The design makes the botnet resistant to detection and removal by traditional methods.
“The KadNap botnet stands out among others in its use of a peer-to-peer network that supports anonymous proxies for decentralized control,” said Formosa and Black Lotus researcher Steve Rudd. wrote Wednesday. “Their intention is clear: to avoid detection and make it difficult for the defenders to defend themselves.”
Distributed hash tables have long been used to create enhanced peer-to-peer networks, notably BitTorrent and Interplanetary File System. Instead of having one or more centralized servers that directly manage nodes and provide them with IP addresses of other nodes, DHTs allow any node to query other nodes for the device or server it is looking for. The decentralized structure and the replacement of IP addresses with hashes give the network resilience against overrides or denial of service attacks.
