Three-Month-Old Roboto Botnet Targets Linux Webmin Servers

Delaware, USA – November 21, 2019 – New peer-to-peer botnet exploits the recently patched vulnerability in Webmin web-based system administration tool to infect Linux servers. CVE-2019-15107 was patched in August this year, and just a few days later adversaries began to exploit this vulnerability, among the ‘attackers’ was Roboto botnet spotted by researchers at 360 Netlab. The botnet continues to grow, and its authors modify its modules for infection and DDoS attacks. Despite the fact that the bot module is able to conduct DDoS attacks via ICMP, HTTP, TCP, and UDP, the researchers have not yet recorded any such use of the module. In addition to DDoS attacks, Roboto botnet is capable of collecting data about the infected machine and uploading it to attackers ’ servers, running Linux system() commands, downloading and executing files, as well as functioning as a reverse shell.

Most infected servers are ‘sleeping agents’, waiting for a command from their control peer. Other systems scan the Internet for vulnerable systems and exploit CVE-2019-15107 to drop the downloader module, which “uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to ensure the integrity and security of its components and P2P network , create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control.”

P2P botnets rarely appear in cyberspace, but they are rather difficult to disable and they can grow rapidly, some of them continue to exist years after their appearance. Now it’s difficult to determine how large Roboto botnet can grow, as there are 200,000 – 1,000,000 Webmin installations worldwide. To detect attacks on your servers, you can use the Web Application Security Framework rule pack that spots malicious activity and acts as an early warning system for your critical business applications: application-security-framework