Momentum Botnet Infects Linux-based Routers And Smart Devices, Uses Them For DDoS Attacks

From LinuxReviews
Jump to navigationJump to search

Cloud provider and security research firm Trend Micro reports that they are seeing "notable malware activity" on "devices running Linux" from a botnet called Momentum. The actual devices in question are IoT devices, security cameras, routers, copy machines and TV top-set boxes running a variety of exploitable software on top of a Linux kernel.

written by 林慧 (Wai Lin). published 2019-12-17last edited 2019-12-18

Smart devices and routers (not these) can be infected by botnets like "Momentum".

Trend Micro story regarding the Momentum botnet is:

"Momentum targets the Linux platform on various CPU architectures such as ARM, MIPS, Intel, Motorola 68020, and more. The main purpose of this malware is to open a backdoor and accept commands to conduct various types of DoS attacks against a given target"

The Security Vulnerabilities "Momentum" (ab)Uses

Trend Micro was kind enough to include a list of the methods the Momentum botnet uses to spread itself towards the end of their dramatic article/product advertisement. It has many methods for infecting devices:

Momentum covers most of the long-known router exploits. It supports:

None of the listed methods take advantage of security flaws in the Linux kernel and none of them affect desktop and server distributions like RHEL, CentOS, Debian, Manjaro or free software router firmware distributions like OpenWrt.

The DDoS Modules

The Momentum botnet has a long list of modules for carrying out DDoS attacks using its infected botnet nodes. Only one stands out as particularly noteworthy: It supports a memcached amplification attack. This particularly attack is not at all unique to Momentum. Memcached is typically used for object caching on a local machine or a local network. Exposing memcached's port to the Internet will result in it being used for DDoS amplification attacks. All you have to do to see how common this is is to start a memcached service on a public IP with its default port 11211 open. It will be exploited within 10-30 minutes. System administrators should keep this in mind when configuring LAMP servers and other deployments using memcached.

Momentum has also got support for DNS amplification attacks just in case some public DNS server has not been upgraded since those attacks were made a non-issue thanks to updates nearly a decade ago.

The rest of Momentum's DDoS modules are dull and not even remotely interesting. It supports doing SYN floods, UDP floods, RTCP floods and several other similar flood attacks. They are all regular straight-forward send a lot of data attacks taking advantage of a potentially large number of botnet machines participating in the attack (amplification attacks, on the other hand, uses weaknesses in software on other hosts to make those other hosts send lots of data to a target).

Lessons Worth Learning

You should look for a firmware update you own or use any of the above listed IoT smart displays, CCTV cameras or routers. The chances that you do are fairly slim, none of those devices are very common. You should probably also check if there are firmware updates, if you have any similar Internet of Things (IoT) devices.

You should also, regardless of owning any of the above listed devices, remember one important lesson: Firmware running on devices which look more like appliances than computers can and does have security problems (even if they happen to be running a Linux kernel). Buy and use routers capable of running free software like OpenWrt instead of locked-up routers running black-box closed-source firmware. As for other IoT devices and "smart" appliances: It's mostly best to avoid them. Refrigerators have been able to keep food cold without any "smart" functionality for many decades.

Add your comment
LinuxReviews welcomes all comments. If you do not want to be anonymous, register or log in. It is free.