Home Malware Programs Botnets Demonbot


Posted: October 5, 2020

Demonbot is a Trojan that creates a decentralized network on infected systems, typically, for launching DDoS attacks. Current campaigns are using exploits specific to compromising unprotected Internet-of-Things cameras, and users should turn on password protection as a preventative step. Users also should have anti-malware protection on related systems for removing threats related to Demonbot attacks, and reset their IoT devices to factory condition.

Programs Conjured from a Mirai-Inspired Hell

For the threat landscape, Mirai is a gift that keeps on giving, with numerous threat actors updating its code or taking inspiration from it for new Trojan networks. Although it already is responsible for providing the world the Dark_nexus Botnet, LiquorBot, the Satori Botnet, and more, 2020 is seeing another addition to its progeny. The Demonbot of 2018 is getting a revival with a low-sophistication emphasis on IoT cameras.

Demonbot isn't the only botnet to target cameras preferentially – the Death Botnet is a particularly-specialized comparison point. What makes Demonbot's new attacks of interest is the explicit focus on a single port typically used by Defeway Internet-of-Things camera devices. Unlike most botnets, the Demonbot campaign's current admin isn't using a flexible set of exploits, and is, instead, limiting infection techniques to a small selection of ports. It also only installs itself on devices without any password protection.

Trojan botnets may turn the hardware resources available on infected devices to various attacks. For Demonbot, malware researchers most strongly note its connection to Distributed-Denial-of-Service or DDoS attacks. These Web server-crashing functions use coordinated, fake traffic en masse, and can facilitate, for example, disrupting banks' servers for concealing fraudulent cash transactions. Users should be aware that the attack targets external entities, although DDoS activity may cause performance problems on the infected device.

Putting Fallen Angels Back Where They Belong

Unlike many threats, the 'exciting' factor in Demonbot's campaign is the distinct lack of sophistication in its distribution methods. While the threat actor could use more techniques for distributing it more widely, the possibly-deliberate limited subset of ports and exploits makes its circulation a very targeted and low-sophisticated model. All users can protect themselves from current attacks by the Demonbot, as of October 2020, by implementing password security or a firewall on their Internet-of-Things devices. Devices without ports 5500, 5501, 5502, 5050, or 60001 open also are safe.

When appropriate, users should update their software to remove any vulnerabilities that might be known to attackers, such as a remote command execution exploit for MVPower digital recorders. When preventative security protocols fail at preventing infections, users should remain alert to possible breaches of related accounts and networks, and the information therein.

Device owners also can reset their cameras and other IoT devices to factory default conditions after experiencing any attacks and protect phones, computers, and other systems from botnets like Demonbot with professional cyber-security suites.

Priority, the threat actor in charge of the current campaign for Demonbot, is either very inexperienced or giving the impression of such to the rest of the world. Even in the best case, Demonbot's network still is as threatening as hellfire to any server that it's DdoSing.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Demonbot may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria .

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.