Skip to main content

Security firm Incapsula discovers massive botnet, spans 109 countries worldwide

According to a new report from the internet security firm Incapsula, a massive botnet spanning 109 different countries around the world has been tearing its way through SOHO (small office/home office) routers since December of last year.

Set up as a network of devices ready to respond to any DDoS operations its masters might need to launch, the spread of the infection started with the notorious “Spike” malware variant, which has since morphed into what Incapsula refers to as “MrBlack”.

Recommended Videos

MrBlack is a tool which works by first infecting the device of a user who has left their router security credentials as the default option for remote administration. We spoke about this issue briefly in the last edition of Decrypt This, wherein consumers will keep the username/password combo to get into their home router as “admin” and “password”, respectively. The botnet seeks out any routers tagged with these credentials, and after automatically accessing the hub, will infect the network and lie in wait for its next command.

“After inspecting a sample of 13,000 malware files, we saw that on average, each compromised router held four variants of MrBlack malware, as well as additional malware files, including Dofloo and Mayday, which are also used for DDoS attacks,” said the report’s author.

For now, the hardest hit by the attack are routers made by the little-known company Ubiquiti. The company is primarily concerned with providing bulk network hub solutions that ISPs can lease out to customers on a month-to-month basis, and its involvement just goes to show that as the router industry moves more toward homogeneity and away from specific innovations, the threat to our information and identities becomes greater than ever before.

Incapsula’s investigation into the source of the problem uncovered that about 85% of the devices affected by the problem reside in either Thailand or Brazil, while 21% of the command-and-control servers are located in the United States. Though there’s no hard evidence to make a connection just yet, Incapsula says there has been an increased amount of chatter in a known Anonymous hangout about the botnet, as well as rumblings on Lizard Squad’s Twitter page about a revival of their older Stresser tool.

“Based on the profile of targets and the attack patterns, we know these compromised routers are being exploited by several groups or individuals. For instance, our analysis also shows that several of these malware variants are reporting to AnonOps IRC channel, indicating that Anonymous [could be] one of the groups responsible for exploiting these under-protected devices,” read the report.

These frayed links have leads researchers to believe that even if the two groups aren’t directly involved, they’re still interested in emulating the techniques used by its true perpetrator.

We’ll be keeping a close eye on this botnet as more details about its proliferation surface, so stay tuned to Digital Trends for all the latest updates.

Chris Stobing
Former Digital Trends Contributor
Self-proclaimed geek and nerd extraordinaire, Chris Stobing is a writer and blogger from the heart of Silicon Valley. Raised…
The robot takeover comes another step closer — at Amazon
An Amazon robot working inside one of the company's warehouses.

Amazon is close to having more robots operating inside its warehouses than humans after the e-commerce giant announced this week that it now has more than a million robots working at its facilities around the world.

Over the years, Amazon has spent billions of dollars on the development and deployment of warehouse-based robots, which handle an array of tasks once performed by human workers.

Read more
This Lenovo ThinkPad laptop is over $1,400 off — hurry while stocks last!
The Lenovo ThinkPad T14 Gen 5 Intel laptop on a white background.

Now's an excellent time to take advantage of laptop deals from Lenovo, which has slashed the prices of a wide range of devices for its Black Friday in July sale. Lenovo's ThinkPad laptops are up to 45% off, and here's one of the most interesting offers available with such a discount — the Lenovo ThinkPad T14 Gen 5 at $1,440 off its estimated value of $3,199, so you'll only have to pay $1,759. That's an excellent price for this fantastic productivity tool, but you're going to have to push forward with your purchase as soon as possible because stocks may run out at any moment.

BUY NOW

Read more
Early Prime Day deal: Samsung’s 27-inch Odyssey G3 at its annual low price
Samsung Odyssey G3 gaming monitor on desk with keyboard and headset.

If you're ready to upgrade your monitor, this Samsung deal over at Amazon just might be your best bet. The 27-inch version of Samsung's Odyssey G3 is $130 right now, a full $100 off its regular $230 price and its lowest price of the year. It's a part of early Prime Day deals and a good sampling of what we can expect for the shopping holiday, which officially lands on July 8th. Tap the button below to see it for yourself or keep reading to see why we like this deal and why this should be your next monitor.

Buy Now

Read more