The Zerobot DDoS botnet first discovered earlier this month has received significant updates to expand its capabilities in recently discovered samples. These updates include its expanded capability to target more Internet-connected devices and grow its botnet.
Zerobot now includes the capability to exploit seven more vulnerabilities, expanding its list of exploits to over 28. This includes CVE-2021-42013 and CVE-2022-33891, vulnerabilities in Apache and Apache Spark, respectively, that can allow for remote code execution on the vulnerable system. In addition to these new exploits, Zerobot now also includes the capability to brute-force open SSH and Telnet ports in an attempt to spread itself to more systems. Zerobot also incorporates seven new DDoS attack methods in order to target additional Internet-connected devices in its attacks. These new methods include the ability to use different protocols, including UDP and ICMP, to initiate DDoS attacks against targets.
Zerobot, also called ZeroStresser by its operators, is marketed as a DDoS-for-hire service that other criminal actors can purchase to use against whoever they want to target. The malware’s rapid evolution over the past month shows the operators’ intent to continue to entice threat actors into picking their service over others by expanding capabilities and features.
The main methods that Zerobot uses to infect a system, via brute-force or vulnerability exploitation, can easily be prevented by following a few recommended steps. The first recommendation would be to make sure all devices on a network are up-to-date on their patches, particularly any Internet-facing devices. The threat actors rely on devices remaining unpatched to infect systems and grow their botnet, so by making sure all devices are up-to-date and not vulnerable, an organization can help prevent their systems from being used in DDoS attacks. It is also recommended to only allow remote interaction protocols, like SSH and Telnet, open to the Internet in cases where it is absolutely necessary. All devices that have these exposed to the Internet should be heavily scrutinized to determine if it is required, particularly in the case of Telnet which is considered insecure. If it is determined that SSH is required, it is recommended to either use public key authentication for all access requirements or use extremely strong passwords to help prevent brute force attacks from working. Finally, it is recommended to use and maintain both network-level and endpoint-level security controls to help prevent and detect malware from infecting a system. Network-level controls can help detect and potentially prevent infected systems within a network from being used to actively participate in a DDoS attack by monitoring volumes of traffic going to single sources. Likewise, endpoint security controls can help detect and prevent the main Zerobot malware from executing on an infected system in the first place, thus preventing the system from joining the botnet and being used to DDoS targets.