Targeting DD-WRT Routers and Beyond
Security researchers have identified a new variant of the Gafgyt botnet, named C0XMO, which specifically targets DD-WRT router firmware. The malware is delivered by exploiting a buffer overflow vulnerability in DD-WRT that allows attackers to execute arbitrary code without authentication. Once deployed, C0XMO can propagate to a wide range of devices, including those running ARM, MIPS, PowerPC, SuperH, x86, and x86 64 architectures. It also carries exploits for DVRs, routers, video management platforms, and Android based devices, demonstrating a broad lateral movement capability.
Aggressive Self Defense and Modular Design
Researchers at Fortinet discovered that C0XMO actively scans for and terminates competing botnet clients and other disruptive software on infected hosts. It deletes binaries, removes cron jobs, init scripts, and shell profile entries to eliminate rival malware and ensure its own persistence. The botnet also installs a Python based scanner that uses multiple worker threads to hunt for internet facing systems on common ports, including SSH, Telnet, and HTTP/HTTPS, then attempts to brute force weak credentials. Once inside, the malware copies itself to hidden directories and creates cron jobs that relaunch it every 15 minutes.
DDoS Capabilities and Operational Sophistication
C0XMO is designed primarily for launching distributed denial of service (DDoS) attacks and supports 19 distinct methods, including UDP, TCP, SYN, ICMP floods, ping of death, and NTP or Memcached amplification. The botnet connects to a hardcoded command and control server using a multi stage handshake with magic strings and shared secrets. Fortinet notes that C0XMO exhibits a considerably more advanced architecture and feature set compared to earlier IoT botnets, indicating a greater degree of operational sophistication. To defend against such threats, users should keep devices updated, use unique admin credentials, and disable unnecessary remote access.
Source: BleepingComputer
