Computer security experts reported the discovery of a new malware threat called the JenX Botnet which uses highly unusual distribution tactics. Instead of relying on standard email messages it abuses one of the most popular video games — Grand Theft Auto as well as IoT devices.
JenX Botnet Discovery and Infiltration Tactics
A new worldwide botnet infection has been reported by the security community. The new threat is called the JenX botnet and features a highly unusual infiltration mechanism. According to the code analysis takes advantage of several vulnerabilities that affect certain popular router models made by Huawei and Realtek. They are among the biggest network equipment manufacturers and such models are usually bought by Internet Service Providers (ISPs) and given out to customers. This means that potentially thousands or even millions of computers can fall victim to the automated penetration testing. The two vulnerabilities are tracked in the following security advisories:
- CVE-2014-8361 — The miniigd SOAP service in Realtek SDK allows remote attackers to execute arbitrary code via a crafted NewInternalClient request.
- CVE-2017-17215 — Huawei HG532 CVE-2017-17215 Remote Code Execution Vulnerability.
Its interesting to note that both weaknesses are taken from the Satori botnet. The snippets were identified in public posts made by the hacker known under the alias “Janit0r” who is the author of BrickerBot. According to the research the botnet is designed specifically against gaming providers, clubs and gamers.
The malware code infiltrates servers that power up games and as a result infect the client machines as well. The link made with the Grand Theft Auto game is due to the fact that compromised servers hosting the JenX botnet host the game. Such tactics are particularly effective against targets as gaming servers are known for their performance and network connectivity.
This is a follow-up upgrade from base botnets like Mirai. Their intrusion strategy was to rely on default credentials which are probed for access. Once the malware has compromised the target device it can change the account credentials and deny access to the owners. The second-generation botnets like Satori depend on firmware vulnerabilities and as a result they are much more effective against potential targets. Most IoT devices never receive critical security updates either due to a lack of software support or owner negligence. Exploits can be easily triggered using automated platforms which makes it easy even for beginner users to utilize it in their attack schemes.
The JenX Botnet and the Gaming Servers Connection
One of the proposed reasons why the malware targets gaming servers is the fact that they are frequently rented for whole groups or used in tournaments. Once the malware code has infected the server itself it can be used to spread viruses to the connected clients through the video games themselves. Usually they integrate in themselves chat options which can be abused.
Using social engineering tactics the criminals can opt to deliver additional malware through links posted in the chat software. They can be disguised as service messages such as password reset links, notifications and etc.
In other cases the victims can be redirected to malware sites which include phishing elements. Instead of delivering executable files the criminals attempt to confuse the users into entering their account credentials to impostor sites. The criminals usually take the graphics and text elements from web services and social networks which are among the most widely visited sites. In recent years these type of scams have become so advanced that sometimes it is hard to tell the fake from the legitimate service. The criminals not only impose almost the same visual identity, but also sign the security certificates and establish a secure connection with credentials that bear a striking resemblance to the actual real ones.
JenX Botnet Infection Capabilities
The researchers note that the botnet is particularly dangerous as it integrates an advanced stealth protection module that aims to hide the threat from security software and analysis. Such techniques are also bundled in advanced ransomware samples where the infection engine looks out for any sandbox or debugging environments, virtual machines and anti-virus products. They can be either disabled or removed. The viruses can also be instructed into deleting themselves if they are unable to bypass the security protection. Such steps can also be integrated in the JenX botnet via script commands. The hackers were found to distribute copies of the JenX compatible with MIPS, ARM and X86 which are the most popular platforms.
The hacker operators seek to silently infiltrate both commercial servers and private ones. Its interesting to note that that the wide audience support seems like an important factor to consider. The criminal community behind the attacks seem to utilize a centralized server which acts as the primary malware platform. The experts load the vulnerabilities along with other custom scripts to execute the follow-up stages of infections.
The infiltrated sites offer access to a Grand Theft Auto San Andreas modded servers for the price of $16, TeamSpeak servers are sold for $9. If the hackers pay $20 more they can utilize the compromised servers for controlled DDOS attacks against single targets. The reports indicate that the peak network thorough can be 290 or 300 Gbps. At the moment the impact caused by the JenX botnet is related to a minor disruption among local gamers. It can be used to sabotage Grand Theft Auto tournaments and group play.
The experts note that if the centralized servers can be taken down the whole platform can fail. It is presumed that the threat can be updated in future versions to utilize a decentralized approach. Recent infections have been found to feature a P2P approach which is harder to mitigate.
We recommend that all users scan their systems for active infections and protect themselves from incoming threats by using a quality anti-spyware solution.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter