Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.
Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.
The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.
JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.
“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:
- CVE-2014-8361 “Realtek SDK Miniigd UPnP SOAP Command Execution” vulnerability and related exploit.
- CVE-2017–17215 “Huawei Router HG532 – Arbitrary Command Execution” vulnerability and related exploit.” states Radware in a blog post.
“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”
JenX also implemented some techniques used by the recently discovered PureMasuta botnet.
The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.
JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called “Corriente Divina.”
The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.
“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”
Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.
“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.
The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.
Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.
“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.