BotenaGo Malware Targets Millions of IoT Devices

AT&T Alien Labs has identified a new malware that’s left millions of IoT devices exposed. Written in Google’s Golang programming language, the BotenaGo backdoor vulnerability exploits IoT through the 19412 networking port or related modules. The malware resemble the Mirai botnet that closed off internet access for much of the East Coast in 2016. 

When leveraged from a remote computer, the malware gives attackers access to more than 30 exploits, many of which have been logged on the Common Vulnerabilities and Exposures database.

Compromised IoT products include various network routers and firewall such as the D-Link DIR-645, Linksys X3000 and Netgear WN604.

The malware starts by printing a count of infected machines to the hacker’s payload interface before loading shell script files to the host machine.

The attack surface is then targeted using a function to map the victim’s device. Each device destination is expressed in command terminal strings that initiate malicious tools. That’s followed by sending a request to the IoT endpoint to confirm the destination is real.  Attackers can then hit enter to deliver the malignant payload.

In a demonstration of the threat, AT&T Alien Labs said almost 2 million targets on the discontinued Boa web server could be assailed.

Boa mainly serves software applications for embedded devices including IoT endpoints. A further 250,000 devices could be infected by running a second mapping string. 

BotenaGo is compiled in the open-source programming language Golang, first published by Google developers in 2007. It’s popularity stems from the ease with which it can be tweaked for different operating systems, AT&T said.

Golang also helps malware evade antivirus products. AT&T Alien Labs said the BotenaGo malware was correctly identified by six of 62 known antivirus scanners.