Demonbot
Demonbot is a Trojan that creates a decentralized network on infected systems, typically, for launching DDoS attacks. Current campaigns are using exploits specific to compromising unprotected Internet-of-Things cameras, and users should turn on password protection as a preventative step. Users also should have anti-malware protection on related systems for removing threats related to Demonbot attacks, and reset their IoT devices to factory condition.
Programs Conjured from a Mirai-Inspired Hell
For the threat landscape, Mirai is a gift that keeps on giving, with numerous threat actors updating its code or taking inspiration from it for new Trojan networks. Although it already is responsible for providing the world the Dark_nexus Botnet, LiquorBot, the Satori Botnet, and more, 2020 is seeing another addition to its progeny. The Demonbot of 2018 is getting a revival with a low-sophistication emphasis on IoT cameras.
Demonbot isn't the only botnet to target cameras preferentially – the Death Botnet is a particularly-specialized comparison point. What makes Demonbot's new attacks of interest is the explicit focus on a single port typically used by Defeway Internet-of-Things camera devices. Unlike most botnets, the Demonbot campaign's current admin isn't using a flexible set of exploits, and is, instead, limiting infection techniques to a small selection of ports. It also only installs itself on devices without any password protection.
Trojan botnets may turn the hardware resources available on infected devices to various attacks. For Demonbot, malware researchers most strongly note its connection to Distributed-Denial-of-Service or DDoS attacks. These Web server-crashing functions use coordinated, fake traffic en masse, and can facilitate, for example, disrupting banks' servers for concealing fraudulent cash transactions. Users should be aware that the attack targets external entities, although DDoS activity may cause performance problems on the infected device.
Putting Fallen Angels Back Where They Belong
Unlike many threats, the 'exciting' factor in Demonbot's campaign is the distinct lack of sophistication in its distribution methods. While the threat actor could use more techniques for distributing it more widely, the possibly-deliberate limited subset of ports and exploits makes its circulation a very targeted and low-sophisticated model. All users can protect themselves from current attacks by the Demonbot, as of October 2020, by implementing password security or a firewall on their Internet-of-Things devices. Devices without ports 5500, 5501, 5502, 5050, or 60001 open also are safe.
When appropriate, users should update their software to remove any vulnerabilities that might be known to attackers, such as a remote command execution exploit for MVPower digital recorders. When preventative security protocols fail at preventing infections, users should remain alert to possible breaches of related accounts and networks, and the information therein.
Device owners also can reset their cameras and other IoT devices to factory default conditions after experiencing any attacks and protect phones, computers, and other systems from botnets like Demonbot with professional cyber-security suites.
Priority, the threat actor in charge of the current campaign for Demonbot, is either very inexperienced or giving the impression of such to the rest of the world. Even in the best case, Demonbot's network still is as threatening as hellfire to any server that it's DdoSing.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.