Zerobot Malware Exploiting Apache Bug to Launch DDoS Attack

As a result of the exploitation of security vulnerabilities found on unpatched Apache servers that are exposed to the Internet, the Zerobot botnet has been recently upgraded with the capability of infecting new devices.

Latest version also features new DDoS capabilities as observed by the Microsoft Defender for IoT research team. Since November at least, Zerobot has been under active development as part of its development process.

Several new modules and features have been added to the new versions to increase the attack vectors available to the botnet, respectively. As a result, it is now easier for cybercriminals to infect new devices, such as:-

Firewalls
Routers
Cameras

By exploiting the year-old exploits, the following devices were actively targeted by the malware modules that were removed by the developers in early December:-

EHA

phpMyAdmin servers
Dasan GPON home routers
D-Link DSL-2750B wireless routers

Zerobot Modules

In addition to the updates discovered by Microsoft, the malware’s toolkit also includes new exploits. This latest update enables it to now target seven new types of devices and software, which is a significant improvement. While this also includes the:-

Unpatched versions of Apache
Unpatched versions of Apache Spark

In addition to these new capabilities, the Zerobot 1.1 features a comprehensive list of new modules, including:-

CVE-2017-17105: Zivif PR115-204-P-RS
CVE-2019-10655: Grandstream
CVE-2020-25223: WebAdmin of Sophos SG UTM
CVE-2021-42013: Apache
CVE-2022-31137: Roxy-WI
CVE-2022-33891: Apache Spark
ZSL-2022-5717: MiniDVBLinux

Zerobot is also capable of exploiting known vulnerabilities to propagate through compromised devices. The most interesting thing about this malware is that the known security flaws that it exploits are not included in the binary of the malware.

New DDoS Capabilities

There are seven new DDoS capabilities available with the updated malware, including TCP_XMAS, which is a new DDoS attack method. Here below we have mentioned all the seven new DDoS capabilities:-

UDP_RAW: Sends UDP packets where the payload is customizable.
ICMP_FLOOD: Supposed to be an ICMP flood, but the packet is built incorrectly.
TCP_CUSTOM: Sends TCP packets where the payload and flags are fully customizable.
TCP_SYN: Sends SYN packets.
TCP_ACK: Sends ACK packets.
TCP_SYNACK: Sends SYN-ACK packets.
TCP_XMAS: Christmas tree attack (all TCP flags are set). The reset cause field is “xmas”.

As early as mid-November, this Go-based malware was spotted for the first time, and security analysts concluded that it was spreading quickly. Nearly two dozen exploits were utilized when it was released in order to infect different types of devices with it.

Flaws tied to Zerobot

The following vulnerabilities and exploits have been detected by Microsoft Defender, and are linked to Zerobot activity:-

CVE-2014-8361
CVE-2016-20017
CVE-2017-17105
CVE-2017-17215
CVE-2018-10561
CVE-2018-20057
CVE-2019-10655
CVE-2020-7209
CVE-2020-10987
CVE-2020-25506
CVE-2021-35395
CVE-2021-36260
CVE-2021-42013
CVE-2021-46422
CVE-2022-22965
CVE-2022-25075
CVE-2022-26186
CVE-2022-26210
CVE-2022-30023
CVE-2022-30525
CVE-2022-31137
CVE-2022-33891
CVE-2022-34538
CVE-2022-37061
ZERO-36290
ZSL-2022-5717

Recommendations

It is recommended by Microsoft that in order to protect your devices and networks from the Zerobot threat, you should take the following steps:-

Implement security solutions that are capable of detecting threats across domains and providing cross-domain visibility.
Take a proactive approach to IoT security by adopting a comprehensive security solution.
The configuration of devices should be secure to prevent unauthorized access.
It is important to keep your device up-to-date in order to maintain its health.
Make sure that you use the least privileged access whenever possible.
Make sure your endpoints are secure with a Windows security solution that provides a comprehensive approach.
Apps that can be used by your employees should be managed.
Executables that are no longer needed or stale should be cleaned up on a regular basis.