Echobot malware is a smorgasbord of vulnerabilities

If there’s one thing that seems to have no end in sight is malware authors putting their own spin on the old Mirai malware and creating new botnets to haunt the IoT and enterprise landscapes.

Not a month goes by without a new major botnet appearing out of nowhere and launching massive attacks against people’s smart devices – either using default credentials to take over the device or by using exploits for old security flaws that device owners did not patch.

New Mirai variant named Echobot

The malware itself doesn’t bring anything new to the actual Mirai source code, which is no surprise since the Mirai code has remained unchanged for years now.

Echobot follows the trend – nothing new, but merely a malware author who added modules on top of the original Mirai source code.

When it was first spotted by Palo Alto Networks researchers in early June, Echobot was using exploits for 18 vulnerabilities. In the Akamai report, a week later, Echobot was at 26.

Targeting IoT devices and enterprise apps

What I found the most interesting, and not so surprising, is the inclusion of cross-application vulnerabilities, said Larry Cashdollar, Akamai threat researcher. For example, rather than sticking to devices with embedded OSs like routers, cameras, and DVRs, IoT botnets are now using vulnerabilities in enterprise web (Oracle WebLogic) and networking software (VMware SD-WAN) to infect targets and propagate malware, he said.

The botnet also incorporates old and new exploits alike. Age was not a factor in the selection of the exploit.

A process to the madness

This weird way of evolving a botnet using unrelated exploits is not unique to Echobot’s only, but a process through which all IoT botnets go through.

From the outside, malware authors seem to pick their exploits at random, but there’s a process to their madness.

Exploits get recycled through a botnet in a matter of days, if they’re not working. So, in hindsight, Echobot’s current arsenal of exploits can be viewed as a list of today’s most bot-yielding vulnerabilities, and a list that device owners and security vendors would want to throw a look over, as it provides an insight for today’s most attacked devices.

source:zdnet.com