A new botnet is slowly building critical mass on the back of unsecured webcams and IP cameras, currently mass-scanning the Internet for vulnerable devices.

The mass scans started on April 16, about a month after security researcher Pierre Kim disclosed a vulnerability affecting over 1,250 camera models.

The flaws he discovered allowed an attacker to take over the affected products. Kim made his discovery public, as the company from where the vulnerability originated didn't bother responding to his emails, let alone issue a fix.

At the time, Kim said that a simple Shodan scan revealed nearly 200,000 webcams easily accessible online, and ready for the taking.

New botnet rises one month after vulnerability disclosure

While initially things looked for the better, scans for this flaws started on April 16. First to notice the scans were researchers from SANS Technology Institute, who spotted an increase of scans on port 81 but couldn't identify their purpose.

Things became clearer today after a report from the Qihoo 360 Network Security Research Lab (NetLab), who linked the port 81 scans to a new IoT botnet.

Further, researchers also managed to get their hands on the binary downloaded on infected cameras. Clues left inside this binary mention the Mirai malware, but researchers said they don't believe this is a Mirai variant, but something new altogether, trying to pass as Mirai.

Botnet spreads via port 81 scans

The infection chain is as follows. An unknown attacker starts scanning the Internet for GoAhead, the lightweight web server embedded with all vulnerable cameras. Once the attacker has identified a vulnerable host, he attempts to exploit the vulnerability exposed by Kim.

If he succeeds, he gains root access to the device, downloads a binary, and moves to a new victim. The scanning operations take place via port 81 and from previously infected hosts.

According to NetLab, just one week after the scans started, on April 22, there were nearly 2.7 million scans per day coming from 57,400 unique IP addresses, which is a rough estimate on the number of infected devices and the size of this new botnet.

An increase of port 81 scans
An increase of port 81 scans [Source: ICS SANS]

New IoT botnet deployed for DDoS attacks

Currently, the botnet communicates with a command and control server hosted on Iranian domains, at load.gtpnet.ir and ntp.gtpnet.ir.

On April 23, this new botnet showed its teeth for the first time when its masters used it to launch a DDoS attack against a Russian bank.

An analysis of this DDoS attack also reinforced NetLab's conclusion that this wasn't just another variation of the Mirai malware, but something new altogether, which was trying to disguise as Mirai, hoping to confuse security researchers.

Differences from Mirai Similarities with Mirai

No more brute-force on port 23/2323 port
C2 communication protocol is completely different from Mirai
Attack module is completely different from Mirai
Mirai does not attack on UDP port 53/123/656 like this new botnet.
The unique Mirai GRE / STOMP attack is nowhere to be seen in this new botnet

The use of some sort of unique syn scan to speed up the process of port scanning
Similar file naming scheme
Partial code borrowed from Mirai

Since NetLab has visibility to DNS activity in China, they were able to determine that at the time they published their research, the botnet had 43,621 bots. They were able to detect the exact size because of their ability to view DNS requests for the botnet's C&C servers.

The original Chinese company where the vulnerability originated had sold its products as white-label cameras that other companies bought and put their logo on top. This explains the large number of vulnerable camera models (over 1,250), but also why vulnerable cameras are all over the world, not only in China. Worldwide, this new botnet is certainly much larger.