Roboto Botnet
Linux servers are being targeted by a threat actor who appears to turn infected machines into members of a large-scale botnet that is currently referred to as the Roboto Botnet by malware researchers. According to specialists, an estimate of 215,000 servers are running the Webmin software suite, which is the main infection vector that the threat actors behind the Roboto Botnet rely on at the moment. The first traces of the botnet's activity date back to the summer of 2019, but its rapid expansion started recently and attracted the attention of cybersecurity experts worldwide. The Webmin vulnerability in question was discovered in the summer, and it allows a hacker to execute remote commands on outdated versions of the Webmin software – updated versions are not vulnerable.
The Roboto Botnet Prioritizes Its Expansion
Most of Roboto Botnet's code appears to serve the purpose of launching Distributed-Denial-of-Service (DDoS) attacks via several vectors – ICMP, TCP, UDP and HTTP. However, the botnet has not been used to attack any service or network yet, so it is possible that its owners might be emphasizing on growth at the moment. To ensure that the Roboto Botnet will keep expanding, its authors have implemented an interesting peer-to-peer method that limits the number of connections made between the botnet's members and the primary control server. Instead, the bots communicate with each other and send instructions on what to do next – so far, the bots seem to be scanning the Web for more vulnerable servers that have an outdated Webmin installation available.
Just like many other botnets, this one also features backdoor components that may enable the attacker to do more than just to execute DDoS attacks. They can use the compromised servers to run shell commands, collect files, collect system details, execute additional corrupted executable and run Linux commands.
The Roboto Botnet's size is not that impressive yet, but, as mentioned above, its rapid expansion started recently, so it will not be a long time before the botnet adds more vulnerable servers to its collection probably. We advise Web administrators to take the necessary measures to scan their Linux servers and apply the latest security patches and updates.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.