DemonBot has been active in the wild since late September using several servers but has recently grown to 70 servers as of this week. DemonBot searches the internet for vulnerable Hadoop installations and will compromise them. Researchers tracking the botnet noticed an increase of activity of over one million exploitation attempts daily. Even though researchers know the number of systems scanned, this is just the recruiting phase for the botnet. The bots remain silent until the DDoS attack starts. The attack vectors supported by DemonBot are TCP and UDP floods.” DemonBot will leverage an unauthenticated remote code execution vulnerability in the YARN (Yet Another Resource Negotiator) module, which is used in enterprise networks for job scheduling and cluster resource management. Since March this year, there has been a PoC demonstrating the vulnerability on GitHub. According to researchers, “It appears that the cause of all trouble is a misconfiguration in YARN, which exposes a REST API and allows a remote application to add new applications to the cluster. Taking advantage of this oversight, the attackers choose to submit the DemonBot malware.” The malware code seen on servers that are offline referenced the Owari botnet, which is a variant of the Mirai botnet. Further investigation revealed that DemonBot is a new botnet.
Users are recommended to always patch vulnerabilities in servers when able. When receiving links from unfamiliar sources or even trusted sources, always be cautious when clicking links. Do not click on ads and avoid falling for phishing scams. Users can also keep a powerful antivirus software on their computer or mobile device.