JenX botnet, a new IoT botnet, has begun recruiting IoT devices. The JenX botnet is being marketed over the Internet and offers up to 300Gbps attacks for as little as $20. It uses hosted servers to find and infect IoT devices leveraging one of two known vulnerabilities that have become popular in IoT botnets recently - CVE-2014-8361 and CVE-2017–17215. JenX botnet represents an evolutionary trend being seen with IoT botnets; it is based on customized versions of the source code of predecessor botnets. Both exploit vectors are from the Satori IoT botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot IoT Botnet.” The malware also uses similar techniques as seen in the recently discovered PureMasuta, which had its source code published in an invite-only dark forum.
Figure 1: services offered by the JenX botnet authors
Like previous IoT botnets, JenX botnet has its roots in gaming server operators who compete over clients, sometimes via launching attacks against each other. This IoT botnet provides a DDoS service with a guaranteed bandwidth of 290-300Gbps and attack vectors including Valve Source Engine Query and 32-byte floods, TS3 scripts and a “Down OVH” option that most probably refers to attacks targeting the hosting service of OVH (a cloud hosting provider that was a victim of the original
Mirai attack in September, 2016). The C2 server hosted under the domain ‘sancalvicie.com’ provides GTA San Andreas Multi-Player mod servers with DDoS services on the side. The SAMP option provides a multi-player gaming service for GTA San Andreas and explicitly mentions the protection against Source Engine Query and other DDoS floods.
Different from previous botnets, JenX botnet uses servers to perform the scanning and the exploits. Nearly all botnets, including Mirai, Hajime, Persirai, Reaper, Satori and Masuta perform distributed scanning and exploiting. That is, each victim that is infected with the malware will perform its own search for new victims.
The image below illustrates SYN scans originating from one exploit server as it is scanning the globe. It seems that the servers are first performing a mass scan of the Internet before attempting to exploit the devices, ensuring ports 52869 and 37215 are open.
JenX Botnet Exploits
Radware observed multiple exploit attempts from distinct servers located in different hosting centers across Europe. The IoT botnet exploits based on CVE-2014-8361 try to perform an RCE through three individual SOAP posts to port 52869 using the URL /picsdesc.xml.
Figure 3: one of the three XML SOAP posts for remote code execution
The CVE-2017–17215 based-exploits from the IoT botnet use a POST to /ctrlt/DeviceUpgrade_1 on port 37215 and a slightly different command sequence to download and execute the malware, first attempting to kill any competing bots that might be resident on the device.
Figure 4: code of CVE-2017-17215 exploit
Malware Execution and Communication
The malware binary is called ‘jennifer’ and was in all occurrences downloaded from the same server 184.108.40.206 which is hosted at a different provider compared to the provider of the exploit servers. The download server hosts samples for MIPS, ARM and x86, all recently uploaded.
Upon execution, Jennifer’s binary initiates three obfuscated processes in the process table (similar to Mirai). All processes are listening to a port bound to localhost and one for the processes opens a TCP socket to the C2 server 220.127.116.11 on port 127.
The first C2 server it calls is skids.sancalvicie.com, using a TCP session on port 127. The malware sends the byte sequence “0x00 0x00 0x00 0x01 0x07” followed by the first argument passed on the command line, in the case of the Realtek exploit, this argument is ‘realtek.’ After this initial sequence, the bot and the C2 server are passing back and forth 2 byte “0x00 0x00” packets to keep the session alive.
Indicators of Compromise (IOCs)
Effective DDoS Protection Essentials
- Hybrid DDoS Protection - On-premise and
cloud DDoS protection for real-time
DDoS attack prevention that also addresses high volume attacks and protects from pipe saturation
- Behavioral-Based Detection - Quickly and accurately identify and block anomalies while allowing legitimate traffic through
- Real-Time Signature Creation - Promptly protect from unknown threats and zero-day attacks
- A Cyber-Security Emergency Response Plan - A dedicated emergency team of experts who have experience with Internet of Things security and handling IoT outbreaks
For further DDoS protection measures, such as
network and application protection, Radware urges companies to inspect and patch their network in order to defend against risks and threats.
Under Attack and in Need of Expert Emergency Assistance? Radware Can Help
Radware offers a DDoS protection service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under DDoS attack or malware outbreak and in need of emergency assistance,
contact us with the code "Red Button."