- Microsoft researchers have also found new evidence that Zerobot propagates by compromising devices with known vulnerabilities that are not included in the malware binary.
- Zerobot uses a combination of desktop entry, daemon, and service methods to achieve persistence on Linux-based devices.
- While Zerobot has new ways to exploit systems with new DDoS attack capabilities, there are ways to protect yourself from these attacks.
The threat posed by botnet malware operations to devices and networks is continually changing. Threat actors target Internet of Things (IoT) devices because their setups generally leave them vulnerable and because there are an increasing number of internet-connected gadgets. The Zerobot botnet, an example of an evolving threat, has been modified to capitalize on security flaws on unpatched Apache servers and spreads by utilizing the vulnerabilities in IoT devices.
New exploits, new capabilities
Zerobot seems to be a continuously evolving threat, the malware’s operators are constantly introducing new exploits and functionalities. Since Microsoft began to keep track of it, Zerobot has received multiple updates and is provided as a component of a malware-as-a-service scheme. In December 2022, the FBI confiscated a number of domains linked to DDoS-for-hire services, including one with connections to Zerobot.
The most recent version of Zerobot offers new DDoS attack capabilities as well as other features including the ability to exploit Apache and Apache Spark vulnerabilities, CVE-2021-42013 and CVE-2022-33891, respectively.
The malware tries to access devices by utilizing a combination of eight popular aliases and 130 IoT device passwords using SSH and telnet on ports 23 and 2323. On default ports 22 and 23, multiple SSH and telnet connection attempts were discovered. Additionally, efforts to open ports and connect to them via port knocking on ports 80, 8080, 8888, and 2323 were discovered by Microsoft researchers.
Used in DDoS attacks
Once it has gained access to a system, it downloads a script named zero.sh that will download and execute Zerobot, gain persistence, and spread to additional online vulnerable devices. The botnet accumulates hacked devices, and they are used to perform DDoS attacks using a variety of protocols. They can also give the operators access to the networks.
Zerobot uses dozens of vulnerabilities that malware operators continuously add to it in order to obtain access to targets and insert malicious payloads. Numerous new exploits of vulnerabilities are present in Zerobot 1.1, including:
Vulnerability | Affected software |
CVE-2017-17105 | Zivif PR115-204-P-RS |
CVE-2019-10655 | Grandstream |
CVE-2020-25223 | WebAdmin of Sophos SG UTM |
CVE-2021-42013 | Apache |
CVE-2022-31137 | Roxy-WI |
CVE-2022-33891 | Apache Spark |
ZSL-2022-5717 | MiniDVBLinux |
Persistence on Linux devices
To achieve persistence on Linux-based devices, Zerobot uses a combination of desktop entry, daemon, and service methods:
Desktop entry
Zerobot copies itself to $HOME/.config/ssh.service/sshf then writes a desktop entry file called sshf.desktop to the same directory.
Older Linux versions use $HOME/.config/autostart instead of $HOME/.config/ssh.service.
Daemon
Copies itself to /usr/bin/sshf and writes a configuration at /etc/init/sshf.conf.
Service
Copies itself to /etc/sshf and writes a service configuration at /lib/system/system/sshf.service, then enables the service to make sure it starts at boot with two commands:
systemctl enable sshf
service enable sshf
All persistence mechanisms on older Linux versions use my.bin and my.bin.desktop instead of sshf and sshf.desktop.