Zerobot: latest strain automates high aggression IoT compromise

Bots represent one of today's most ubiquitous threats. Recent studies have not only revealed the sheer scale of malicious bot usage within sites, but have also shown a worrying trend that attackers continue to push for fully automated system compromise.

Your anti bot protection needs to keep up to date with this ever evolving threat landscape, personified in threats such as the ongoing Zerobot campaign.

Birth of the ever expanding zerobot

In order to carry out commands - whether legitimate or otherwise - bots require a small amount of hardware horsepower.

Legitimate, site friendly bots such as chatbots and crawlers allow for businesses to answer customer queries faster and more precisely; while illegitimate bots can steal customer info and hijack their devices, facilitating the complete removal of your site from the airwaves via large scale DDoS attacks.

No innovation has swelled the ranks of international botnets more than the explosive Internet of Things (IoT) industry.

IoT devices have rapidly become a major foundation of everyday life, from hyper convenience, consumer focused devices such as smart fridges and fitness watches, to highly specific components within industrial production plants.

Unfortunately, in the focus that IoT has placed on adaptability and convenience, today’s industry is facing the repercussions of a decade’s worth of security oversights.

Beginning with Mirai in 2016, attackers began to take full advantage of the poor inbuilt security offered by most IoT devices. Over six years later, IoT devices are still often victim to the same default user and password combinations, as users are often simply not informed about the security ramifications of such.

Zerobot was first discovered by researchers in December 2022; at first ‘quite basic’, it initially operated off a set list of pre-existing vulnerabilities from suppliers such as D-Link, RealTek, Huawei, and TOTOlink.

From there, however, Zerobot continued to be updated. An initial focus was placed upon being able to infect more endpoints, allowing Zerobot to handle a broader range of protocols and vulnerabilities.

The next modification saw a Mirai-esque adaptation toward scale, however, as the attackers included a ‘selfRepo’ module - allowing Zerobot to reproduce itself and automatically spread to new hosts.

Zerobot initiates its attacks by first checking the target device’s OS type - triggering its adaptive attack pattern. For instance, if the at risk device is on Windows, Zerobot makes a copy of itself in the ‘Startup’ folder, sneakily hidden being a file called FireWall.exe. For Linux, Zerobot follows three file paths directly to the system settings.

Once a copy has been planted, this file sets up an anti kill module. This module prevents the user from terminating the program once started, simply by monitoring for any signal sent to kill the process - if such a signal is discovered, it’s swiftly terminated.

With a solidly malicious foundation set up, the new Zerobot member does two things: first, it scans for any other infectable internet connected devices nearby.

Then, it sets up its connection to the command and control server. This makes the client available for a command from the server, and completes the formation of this brand new bot.

The latest uber aggressive modifications

This attack chain summarises most of the older forms of Zerobot malware. However, Microsoft researchers recently identified new strains of the botnet that are becoming even more aggressive.

The infection vectors - previously reliant solely on specific, pre-released IoT vulnerabilities - are now leaning increasingly toward brute force methodologies. This comes as little surprise, given the ubiquity of weakly secured devices that persist globally.

It’s not just the initial compromise attempts that are expanding into brute force mechanisms: the architecture-specific downloader also identifies the operating system via brute force, simply cycling through attempts to download and execute different binaries until one succeeds.

This low effort form of OS identification shows the increasingly low barrier of entry - and some of the motivations - driving today’s illicit botnet market. This minimum effort ethos driving highly successful botnets lies in parallel to the legitimate software market’s focus on Minimum Viable Products (MVPs).

A reduced turnaround is financially beneficial - regardless of whether the software’s clients are recognised businesses or cybercriminals wanting to pull off aggressive DDoS attacks.

Furthermore, not only does Zerobot benefit from an anti-killswitch, but the latest upgrades have even seen the development of anti cybersecurity measures. The aptly named function ‘selfRepo_isHoneypot’ sees the new downloader establish the legitimacy of its potential victim.

If the IP address matches any known honeypots - network decoys used by researchers to attract cybercriminals and collect real-world threat intelligence - the downloader terminates the malware download.

Protecting against the botnet threat

Botnets allow for the widespread automation of illicit cyberattacks. One of the most infamous uses for botnets of Zerobot’s scale is the DDoS attack.

This sees the continued and unrelenting practice of using bots to request instances of your site or application, with the aim to overwhelm your back-end resources.

Other uses include product scraping and queue skipping. Fundamentally, your bot protection needs to defend mission critical apps, APIs, and sites - without false positives that block out legitimate end-users. 

Some key features that allow for bot defenses to offer truly next generation protection is the solution’s flexibility and speed. Deployment times are now minutes instead of weeks, and integration with other security solutions is a must.

Whether that describes a single-stack deployment with a cloud web application firewall (WAF), or a more complex mix of connectors throughout AWS, Cloudflare, and Fastly, deployment is quicker and more comprehensive than ever before.

Further important is the obfuscation of your bot defenses’ code. Sophisticated botnet owners often attempt to reverse engineer the software keeping bad bots at bay; next-gen providers understand this, and so keep their defenses’ code locked under dynamic deception techniques.

With next-generation bot defenses in place, you can defend against the rising threats of adaptive botnets.

With a third-party supplier, the management of these defenses no longer need to fall upon an overworked or understaffed IT team that may not have the capacity to keep up with today’s botnet evolution.