A peer-to-peer (P2P) botnet which affects Vulnerable Linux Webmin servers is discovered by researchers. For the past three months, the botnet has been targeting Webmin servers by using a Remote Code Execution vulnerability (CVE-2019-15107) which was previously patched on Aug. 17. Webmin developers say that it has over a million installations worldwide and according to Shodan, 232,000 servers are currently vulnerable. But it is unknown how many Linux Webmin servers are being targeted.
Webmin users should check the process
NetLab 360 researchers advise users; “We recommend that Webmin users take a look whether they are infected by checking the process, file name, and UDP (User Datagram Protocol) network connection. We recommend that Roboto botnet-related IP, URL, and domain names be monitored and blocked.
Roboto features as DDoS attack
After its installation on a Linux Operation System, the Roboto botnet can support seven functions like function as a reverse shell and let the attacker run shell commands on the infected host; collect system, process, and network info from the infected server; upload collected data to a remote server; run Linux system without commands; execute a file downloaded from a remote URL; uninstall itself.
Although it has DDoS capability, the main goal of the botnet is not still certain, according to the researchers. Roboto’s DDoS feature could make attacks via vectors like ICMP, HTTP, TCP, and UDP.
P2P Botnet’s working principle
Roboto P2P Botnet operates without a command-and-control (C2) server. P2P botnets – including Hajime and Joanap – make it trickier for researchers or authorities to target them as there are no centralized domains or servers to track. P2P botnets don’t create a decentralized network of infected devices or bots. Instead of doing this, it uses custom protocols for communication that must be decrypted before they can be analyzed. Curve25519, Ed25519, TEA, SHA256, and HMAC-SHA256 are some of the algorithms that Roboto uses.
“These algorithms allow Roboto to ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control.”
“After receiving the bot request packet, peer establishes a connection with the bot if it is consistent with its own public key, and then calculates the SharedKey through the public key,” they added.