Roboto, a new P2P botnet targets Linux Webmin servers

Security experts discovered a new peer-to-peer (P2P) botnet dubbed Roboto that is targeting Linux servers running unpatched Webmin installs.

Researchers at 360Netlab discovered a new P2P botnet, tracked as Roboto, that is targeting Linux servers running unpatched installations of Webmin installs.

The experts first spotted the Roboto botnet in August when they detected a suspicious ELF file. In October one of the honeypots of the company captured the bot, its downloader, and some bot modules.

“Fast forwarded to October 11, 2019, our Anglerfish honeypot captured another suspicious ELF sample, and it turned out to be the Downloader of the previous suspicious ELF sample.” reads the analysis published by 360 Netlab. “The Downloader sample downloads the above Bot program from two hard-coded HTTP URLs. One of the addresses disguised the Bot sample as a Google font library “roboto.ttc“, so we named the Botnet Roboto.”

The analysis of the bot revealed that it supports seven functions: reverse shell, self-uninstall, gather process’ network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc.

The researchers discovered that the DDoS module implements four types of DDoS attacks (ICMP Flood, HTTP Flood, TCP Flood, and UDP Flood), but they speculate that DDoS is not the main purpose of the botnet.

The Roboto botnet spreads by compromising systems by exploiting the Webmin RCE vulnerability tracked as CVE-2019-15107 to drop its downloader module on Linux servers running vulnerable installs.

Webmin is an open-source web-based interface for system administration for Linux and Unix. It allows users using web browsers to set up user accounts, Apache, DNS, file sharing and much more. The flaw affects the procedure for changing expired passwords, the backdoor could be exploited by a remote attacker to execute malicious commands with root privileges on the machine running vulnerable Webmin.

The backdoor affects Webmin 1.882 through 1.921, but experts observed that default configuration are not vulnerable because the affected feature is not enabled by default. Only version 1.890 is affected also in the default configuration.

Webmin 1.930 and Usermin version 1.780 have addressed the flaw, anyway it is possible to secure the systems by disabling the ‘user password change’ option.

Searching with Shodan for internet-exposed Webmin installs, it is possible to find over 233,000 instances, most of them located in the United States, France and Germany.

What makes the Roboto botnet a singular bot is its P2P structure that is rare for IoT DDoS bots, other botnets with a similar capability are the Hajime and Hide’N‘Seek botnets.

P2P botnets are more resilient against sinkholing attacks and takeover from law enforcement, in order to ensure that the Roboto network is only controllable by its operators it implements a signature verification for each attack command.

“Only the attack messages that can be signed and signed can be accepted and executed by the Roboto node.
The verification method adopted by Roboto is ED25519, which is a public digital signature algorithm. At the same time, the check public key is:60FF4A4203433AA2333A008C1B305CD80846834B9BE4BBA274F873831F04DF1C, the public key is integrated into each of the Roboto Bot samples.” reads the analysis.

Additional technical details such as IoCs are included in the analysis published by the experts.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Roboto botnet, malware)

[adrotate banner=”5″]

[adrotate banner=”13″]