Researchers have revealed information on the “largest botnet” seen in the wild in the previous six years. With the purpose of initiating distributed denial-of-service (DDoS) attacks and embedding advertising into HTTP websites accessed by unwary users, the malware has infected approximately 1.6 million machines, mostly in China.
The botnet was called “Pink” by Qihoo 360’s Netlab security team based on a sample discovered on November 21, 2019, due to many function names beginning with “pink.”
The botnet, which primarily targets MIPS-based fiber routers, uses a combination of third-party services like peer-to-peer (P2P) networks, GitHub, and central command-and-control (C2) servers to regulate communications, and fully encrypt transmission channels to protect the takeover of victimized devices.
Pink has also been discovered using DNS-Over-HTTPS (DoH), a mechanism for executing remote Domain Name System resolution via the HTTPS protocol, to link to the controller given in a configuration file delivered by GitHub or Baidu Tieba, or through a hard-coded domain name in some examples.
According to an independent report by Beijing-based cybersecurity firm NSFOCUS, more than 96 percent of the zombie nodes in the “super-large-scale bot network” were located in China, with the malicious attacker breaking into the devices to deploy malicious programs by exploiting zero-day vulnerabilities in network gateway machines.
The botnet is still operating, with over 100,000 nodes, even though many infected devices have been fixed and returned to their former condition.
The results are another evidence of how botnets may provide a formidable infrastructure for malicious actors to undertake a range of attacks, with roughly 100 DDoS attacks performed by the botnet so far.
According to NSFOCUS experts, IoT devices have become a major objective for black production groups and even advanced persistent threats (APT) organizations. Pink is the largest botnet identified so far, but it will never be the last.