This mysterious malware could threaten millions of routers and IoT devices

Cybersecurity researchers detail BotenaGo malware, which takes advantage of over 30 different security vulnerabilities.
Written by Danny Palmer, Senior Writer

A new form of Internet of Things malware, which uses over 30 different exploits, has been spotted by security researchers.

Detailed by cybersecurity researchers at AT&T Alien Labs, BotenaGo malware can use a number of methods to attack targets then create a backdoor on compromised devices. "Deployed with more than 30 exploits, it has the potential of targeting millions of routers and IoT devices," said the researchers.

Some anti-virus suites detect the malware as a variant of Mirai, the IoT malware botnet that overwhelmed large sections of the internet with DDoS attacks in 2016. While the payload does initially look similar, it's actually also significantly different because it's written in the Go programming language. 

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) 

Go has been gaining popularity among developers in recent years – and it's also becoming increasingly popular with malware authors. 

BotenaGo scans the internet looking for vulnerable targets, and analysis of the code reveals that the attacker is presented with a live global infection counter that tells them how many devices are compromised at any given time. 

The attackers are able to exploit the vulnerabilities in internet-facing devices and can execute remote shell commands – and it's something that attackers could potentially use as a gateway to the wider network, if not secured properly.  

Attackers also have the ability to use this option to distribute malicious payloads, but at the time researchers were analysing BotenaGo, these had apparently been removed from the servers hosted by the attackers, so it wasn't possible to analyse them. 

BotenaGo could potentially compromise millions of devices that are exposed to the vulnerabilities detailed by researchers, but currently there isn't any obvious communication with a command and control server. 

According to researchers, there are three options. First, it could mean that BotenaGo is just one module of a larger malware suite that isn't being used in attacks right now. There's also the possibility that it's connected to Mirai, used by those behind Mirai when targeting specific machines. Finally, researchers also suggest that BotenaGo is still in development and a beta of it has accidentally been released early – hence why it doesn't do much yet. 

SEE: The IoT is getting a lot bigger, but security is still getting left behind

Even if it is inactive, the number of vulnerabilities BotenaGo can exploit means millions of devices are potentially vulnerable.  

In order to protect against this and other IoT malware threats, it's recommended that software is well-maintained with security updates being applied as soon as possible in order to minimise the time for attackers to exploit newly disclosed vulnerabilities. 

It's also recommended that IoT devices aren't exposed to the wider internet and that a properly configured firewall is deployed to protect them.  


Editorial standards