Researchers say they’ve uncovered a takedown-resistant botnet of 14,000 routers and other network devices—primarily made by Asus—which were conscripted right into a proxy network that anonymously carries traffic used for cybercrime.
The malware—dubbed KadNap—takes hold by exploiting vulnerabilities which have gone unpatched by their owners, Chris Formosa, a researcher at security firm Lumen’s Black Lotus Labs, told Ars. The high concentration of Asus routers is probably going on account of botnet operators acquiring a reliable exploit for vulnerabilities affecting those models. He said it’s unlikely that the attackers are using any zero-days within the operation.
A botnet that stands out amongst others
The variety of infected routers averages about 14,000 per day, up from 10,000 last August, when Black Lotus discovered the botnet. Compromised devices are overwhelmingly positioned within the US, with smaller populations in Taiwan, Hong Kong, and Russia. Some of the salient features of KadNap is a complicated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to hide the IP addresses of command-and-control servers. The design makes the botnet immune to detection and takedowns through traditional methods.
“The KadNap botnet stands out amongst others that support anonymous proxies in its use of a peer-to-peer network for decentralized control,” Formosa and fellow Black Lotus researcher Steve Rudd wrote Wednesday. “Their intention is obvious: avoid detection and make it difficult for defenders to guard against.”
Distributed hash tables have long been used to create hardened peer-to-peer networks, most notably BitTorrent and the Inter-Planetary File System. Somewhat than having a number of centralized servers that directly control nodes and supply them with the IP addresses of other nodes, DHTs allow any node to poll other nodes for the device or server it’s searching for. The decentralized structure and the substitution of IP addresses with hashes give the network resilience against takedowns or denial of service attacks.