This mysterious malware could threaten millions of routers and IoT devices

A new form of Internet of Things malware, which uses over 30 different exploits, has been spotted by security researchers.

Detailed by cybersecurity researchers at AT&T Alien Labs, BotenaGo malware can use a number of methods to attack targets then create a backdoor on compromised devices. “Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices,” said the researchers.

Some anti-virus suites detect the malware as a variant of Mirai, the IoT malware botnet which overwhelmed large sections of the internet with DDoS attacks in 2016. While the payload does initially look similar, it’s actually also significantly different because it’s written in the Go programming language. 

Go has been gaining popularity among developers in recent years – and it’s also becoming increasingly popular with malware authors. 

BotenaGo scans the internet looking for vulnerable targets, and analysis of the code reveals that the attacker is presented with a live global infection counter which tells them how many devices are compromised at any given time. 

The attackers are able to exploit the vulnerabilities in the internet-facing devices and can execute remote shell commands — and it’s something which attackers could potentially use as a gateway to the wider network, if not secured properly.  

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) 

Attackers also have the ability to use this option to distribute malicious payloads, but at the time researchers were analysing BotenaGo, these had apparently been removed from the servers hosted by the attackers, so it wasn’t possible to analyse them. 

BotenaGo could potentially compromise millions of devices that are exposed to the vulnerabilities detailed by researchers but currently there isn’t any obvious communication with a command and control server. 

According to researchers, there are three options. First, it could mean that BotenaGo is just one module of a larger malware suite that isn’t being used in attacks right now. There’s also the possibility that it’s connected to Mirai, used by those behind Mirai when targeting specific machines. Finally, researchers also suggest that BotenaGo is still in development and a beta of it has accidentally been released early – hence why it doesn’t do much yet. 

Even if it is inactive, the number of vulnerabilities BotenaGo can exploit means millions of devices are potentially vulnerable.  

In order to protect against this and other IoT malware threats, it’s recommended that software is well-maintained with security updates being applied as soon as possible in order to minimise the time for attackers to exploit newly disclosed vulnerabilities. 

It’s also recommended that IoT devices aren’t exposed to the wider internet and that a properly configured firewall is deployed to protect them.  

MORE ON CYBERSECURITY

• The IoT is getting a lot bigger, but security is still getting left behind
• IoT security: Why it will get worse before it gets better
• Don’t want to get hacked? Then avoid these three ‘exceptionally dangerous’ cybersecurity mistakes
• Ransomware: It’s only a matter of time before a smart city falls victim, and we need to take action now
• This old security vulnerability left millions of Internet of Things devices vulnerable to attacks