Zerobot malware update attacks IoT devices 

Sheila Zabeu -

January 04, 2023

An update of a botnet discovered late last year that exploits vulnerabilities in Internet of Things (IoT) devices to gain control over attacked systems is active. First revealed by FortiGuard Labs, the Zerobot malware has been updated multiple times since the Microsoft Defender research team began monitoring it. Version Zerobot 1.1 includes features to exploit vulnerabilities on more systems and new DDoS attack tools.

Written in the Go language, Zerobot contains several modules, such as self-replication, self-propagation and one focused on attacks using different protocols, and is offered as part of a malware-as-a-service scheme. According to security/blog/2022/12/21/microsoft-research-uncovers-new-zerobot-capabilities/" target="_blank" rel="noopener">Microsoft, a domain with links to Zerobot was identified among several others associated with DDoS for-hire services seized by the FBI in December 2022. Microsoft even tracked ads from the Zerobot botnet on social media networks and advertisements related to the sale and maintenance of the malware and also identified new features in development. The company tracks these activities as DEV-1061.

The Zerobot 1.1 distribution can now exploit vulnerabilities in Apache and Apache Spark, as well as MiniDVBLinux DVR, Grandstream and Roxy-WI GUI systems. Additionally, it brings tools to perform DDoS attacks. The new functions allow you to target specific resources and make them inaccessible. Successful DDoS attacks can be used to demand a ransom payment, divert attention from other malicious activities or disrupt operations. The different methods used by Zerobot to launch DDoS attacks, such as sending UDP and TCP packets with customizable payloads, are listed below.

Different methods used by Zerobot
Resource: Microsoft

The Zerobot botnet affects multiple devices, including firewalls, routers and cameras, and aggregates them into a distributed denial of service (DDoS) botnet. It can infect vulnerable victims on various architectures, operating systems and protocols.

Because they are more exposed to the Internet and have unpatched and poorly secured systems, IoT devices are frequent targets for Zerobot malware, which propagates over IoT routes by brute-force attacks on devices with insecure configurations using default or weak credentials. The malware attempts to gain access to devices through a combination of eight common usernames and 130 passwords for IoT devices.

Microsoft researchers identified several attempts to SSH and telnet connections on standard ports 22 and 23 and to open ports 80, 8080, 8888 and 2323.

To gain access to devices, the Zerobot malware injects a script named that downloads and attempts to execute the malware’s malicious code for a specific architecture. It may also attempt to download different binaries and tries to brute-force identify the architecture, as IoT devices often use processing units from different platforms. Microsoft has observed scripts for architectures such as ARM64, MIPS and x86_64. Depending on the devices’ operating system, the malware uses other persistence mechanisms and tactics to gain and maintain access control.

What is an IoT botnet?

An IoT botnet is a network of devices connected to the Internet of Things (IoT) that have been infected by malware (specifically IoT botnet malware) and fallen into the hands of malicious actors. In general, botnets launch distributed denial-of-service (DDoS) attacks and advertise on underground forums, making them easily accessible to cybercriminals.

Typically, they have controlled from a single Command and Control (C&C) server connected to infected devices, called “bots”. Some botnets, however, forego the C&C server and adopt peer-to-peer (P2P) networks, making them more difficult to take down. This threat is already a reality, and five families of IoT P2P botnets have been identified: Watch, Hajime, Hide ‘n’ Seek (HNS), Mozi, and HEH.

Trend Micro lists three principal malware codes used in IoT botnets, whose characteristics show their nature and how they typically operate. They are generally open-source code to facilitate variant generation. These three classes of malware are:

  • Kaiten – Also called Tsunami, this is the least known of the three codes. Although it became public in 2001, it remains popular among cybercriminals and script kiddies (individuals with no technical skills who use third-party scripts). Kaiten code spreads through Telnet services using brute force. Its newer variants have a bot-killing feature that removes previous infections.

  • Qbot – This malware code for IoT botnets is a bit newer than Kaiten (it appeared in 2008) but is still popular among cybercriminals. Its other names are Bashlite, Gafgyt, Lizkebab, or Torlus. Its variants also have a feature to eliminate previous bots.

  • Mirai – It is the best-known code among the three. It appeared in 2016 and was developed as a DDoS tool for sale and mainly for gamers. Some variants can clean older infections and completely monopolize devices.

This infection-cancellation feature points to a potential feud between operators of malware code for IoT botnets. It may sound healthy, a good thing. Still, a less naive view highlights a cross-focus between cyber armies whose main victims are the ever-increasing number of Internet of Things users, individuals or large organisations such as essential services or healthcare providers.