Cyber-Security-Lock-Pixabay

In a new blog post, a Microsoft Defender for IoT security research team says it has found new Zerobot capabilities and how it continues to evolve. The company says the latest version of the botnet malware (Zerobot 1.1) has new “features” and attack methods.

If you’re unfamiliar with Zerobot, it is a type of botnet that spreads across web applications and IoT by exploiting vulnerabilities. It is a malware as a service, which means it evolves over time. In fact, the Microsoft Defender for IoT security team says the botnet has been updated multiple times since it has been tracking the malware.

Malware as a service is a relatively new concept in the cybercrime world. It allows threat actors to easily access malware packages that are already established and use ready-mad tools for their attacks. In other words, it opens up cyberattack activity to people who may not have the skill to build attacks themselves.

Microsoft points out Zerobot is a defining example of malware as a service and is constantly evolving and improving. This includes version 1.1 of the botnet:

“Zerobot 1.1, including newly identified capabilities and further context to Fortinet’s recent analysis on the threat. Zerobot 1.1 increases its capabilities with the inclusion of new attack methods and new exploits for supported architectures, expanding the malware’s reach to different types of devices.”

Evolving

This means the botnet is better than ever at infiltrating IoT devices such as cameras, routers, and others. It places compromised hardware onto a distributed denial of service (DDoS) botnet. Because it has access to multiple modules, Zerobot can tailor its attacks to target different types of architecture and operating systems.

“Upon gaining device access, Zerobot injects a malicious payload, which may be a generic script called zero.sh that downloads and attempts to execute Zerobot, or a script that downloads the Zerobot binary of a specific architecture.

The bash script that attempts to download different Zerobot binaries tries to identify the architecture by brute-force, attempting to download and execute binaries of various architectures until it succeeds, as IoT devices are based on many computer processing units (CPUs). Microsoft has observed scripts targeting various architectures including ARM64, MIPS, and x86_64.”

In its blog post, Microsoft details new capabilities it has observed from Zerobot 1.1:

The following are the previously known Zerobot capabilities:

Attack method

Description

UDP_LEGIT

Sends UDP packets without data.

MC_PING

Meant for DDoS on Minecraft servers. Sends a handshake and status request.

TCP_HANDSHAKE

Floods with TCP handshakes.

TCP_SOCKET

Continuously sends random payloads on an open TCP socket. Payload length is customizable.

TLS_SOCKET

Continuously sends random payloads on an open TLS socket. Payload length is customizable.

HTTP_HANDLE

Sends HTTP GET requests using a Golang standard library.

HTTP_RAW

Formats and sends HTTP GET requests.

HTTP_BYPASS

Sends HTTP GET requests with spoofed headers.

HTTP_NULL

HTTP headers are each one random byte (not necessarily ascii).

Previously undisclosed and new capabilities are the following:

Attack method

Description

UDP_RAW

Sends UDP packets where the payload is customizable.

ICMP_FLOOD

Supposed to be an ICMP flood, but the packet is built incorrectly.

TCP_CUSTOM

Sends TCP packets where the payload and flags are fully customizable.

TCP_SYN

Sends SYN packets.

TCP_ACK

Sends ACK packets.

TCP_SYNACK

Sends SYN-ACK packets.

TCP_XMAS

Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

Tip of the day: Having problems with pop-ups and unwanted programs in Windows? Try the hidden adware blocker of Windows Defender. We show you how to turn it on in just a few steps.