Security researchers have uncovered the details of a botnet that has infected more than 1.6 million devices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users.
According to the Qihoo 360’s Netlab security team the botnet is believed to be the largest botnet observed in the wild in the last six years.
The researchers have named the botnet “Pink” based on a sample obtained on November 21, 2019, owing to a large number of function names starting with “pink.”
The botnet that mainly targets MIPS-based fiber routers, leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications. The transmission channels are completely encrypted to prevent the victimized devices from being taken over.
The researchers stated that Pink raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor’s action also in real time, and made multiple firmware updates on the fiber routers correspondingly. Coordinated action has been taken by the unspecified vendor and China’s Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC).
Pink has also been found adopting DNS-Over-HTTPS (DoH), a protocol used for performing remote Domain Name System resolution via the HTTPS protocol, to connect to the controller specified in a configuration file that’s either delivered either via GitHub or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.
More than 96% of the zombie nodes part of the “super-large-scale bot network” were located in China. The threat actor broke into the devices to install malicious programs by taking advantage of zero-day vulnerabilities in the network gateway devices.
Although a significant chunk of the infected devices has since been repaired and restored to their previous state as of July 2020, the botnet is still said to be active, comprising about 100,000 nodes.
Around 100 DDoS attacks have been launched by the botnet as of now and the findings indicates how botnets can offer a powerful infrastructure for bad actors to mount a variety of intrusions.
Image Credits : Bitdefender