For 8 years, a hacker operated a massive IoT botnet just to download Anime videos

The botnet consisted solely of D-Link NAS and NVR devices and the botnet peaked at 10,000 bots in 2015.

anime.jpg

Image: Screenshot from Golden Kamuy anime series by Geno Studio.

For almost eight years, a hacker has silently hijacked D-Link NVRs (network video recorders) and NAS (network-attached storage) devices into a botnet that had the sole purpose of connecting to online websites and download anime videos.

Named Cereals and first spotted in 2012, the botnet reached its peak in 2015 when it amassed more than 10,000 bots.

However, despite its size, the botnet operated without detection from most cyber-security firms. Currently, Cereals is slowly disappearing, as the vulnerable D-Link devices on which it fed all these years have started aging and are being decommissioned by their owners. Further, the botnet's decline was also accelerated when a ransomware strain named Cr1ptT0r wiped the Cereals malware from many D-Link systems in the winter of 2019.

Now that both the botnet and the vulnerable devices behind it are dying out, cyber-security firm Forcepoint published a report on the botnet's past operations, without fear that its report could draw attention to vulnerable D-Link systems and spark a new series of attacks from other botnets.

Botnet exploited just one single vulnerability

According to Forcepoint researchers, the Cereals botnet was unique in its modus operandi because it exploited just one vulnerability during all its eight-year life.

The vulnerability resided in the SMS notification feature of the D-Link firmware that powered the company's line of NAS and NVR devices.

The bug allowed the Cereals author to send a malformed HTTP request to a vulnerable device's built-in server and execute commands with root privileges.

Forcepoint says the hacker scanned the internet for D-Link systems vulnerable to this bug, and the exploited the security flaw to install the Cereals malware on vulnerable NAS and NVR devices.

cereals.png

Image: Forcepoint

But despite exploiting just one vulnerability, the botnet was quite advanced. Cereals maintained as many as four backdoor mechanisms to access infected devices, it attempted to patch systems to prevent other attackers from hijacking systems, and it managed infected bots across twelve smaller subnets.

A hobby project?

However, despite this advanced setup, Forcepoint says that the botnet was most likely a hobby project.

First, the botnet exploited just one single vulnerability during the botnet's eight-year life, without ever bothering to expand its operation to other systems beyond D-Link NAS and NVRs.

Second, the botnet never strayed from its Anime video leeching purpose. Forcepoint said the botnet did not execute DDoS attacks, nor did it find evidence that the botnet tried to access user data stored on the NAS and NVR devices.

All of this suggests that the botnet's author, believed to be a German man named Stefan, never had any criminal intentions in building Cereals, a botnet that appears to have had just one single purpose -- downloading Anime vids.