Lumen strikes Aisuru/Kimwolf botnet operators

In an ongoing effort to tame the Aisuru and Kimwolf botnets, responsible for the largest DDoS attacks to date and powering massive proxy services, Lumen severed 550 command-and-control centers, disrupting the malicious activity.

Lumen, a telecommunications company, stated that it null-routed over 550 command-and-control (C2) nodes in four months, which were used by the operators of the Aisuru and Kimwolf botnets.

Null routing means that traffic destined for a specific IP address is dropped or sent to a non-existent endpoint, leaving the infected devices (bots) screaming into the void, unable to receive further commands.

Aisuru and its successor, Kimwolf, are behind the largest DDoS (distributed denial-of-service) attacks ever recorded, controlling an estimated two million Android devices, mostly off-brand TV boxes.

Last year, one of the botnet’s C2 servers received so many requests that it even surpassed Google as the most popular website.

Don't miss our latest stories on Google News. Add us as your Preferred Source on Google

“As the botnet grew to a critical size, Lumen took action by blocking traffic to and from known C2 nodes across our global network,” Lumen’s Black Lotus Labs researchers said in a report on LinkedIn.

The ongoing battle against the botnet is a cat-and-mouse game. Once a server is taken down, the botnet operators spin up another one. In early October last year, Kimwolf reached 800,000 active bots, most of which were found listed for sale on a single residential proxy service.

“Kimwolf proved to be resilient,” the report reads.

In one case, “the actors took about 12 hours to realize what had happened and recover.”

Migration to a new C2 also corresponded with a spike in traffic to a server used to host botnet’s malware, indicating that the operators needed the bots to download updates to keep the operation running.

“As that became apparent, we promptly null-routed these remaining active C2 servers,” Lumen said.

However, the fight against the botnets might be taking a new direction.

Brian Krebs, a cybersecurity journalist who was himself targeted by a massive 6.3 terabit-per-second DDoS attack from Aisuru, identified multiple Canadian IP addresses and individuals tied to the malicious activity.

“We reported the activity to law enforcement. The nature of that traffic indicated an actor was interfacing with and controlling the botnet,” Lumen said.

Botnet operators expressed “some distress,” launching DDoS attacks against researchers and filling payloads with profanity.

How the botnet spreads and a tool to check your IP

Aisuru/Kimwolf botnets primarily consist of infected Android boxes deployed in residential networks. These devices mostly include set-top boxes that are not certified by Google and lack Google Play or any other form of protection.

Millions of similar infected devices have already been sinkholed by ISPs and authorities.

A report by Syntient explained that the botnets target cheap Android devices with an exposed Android Debug Bridge (ADB) service.

Cheap off-brand devices produced in China often come preinstalled with backdoors, or users themselves install unofficial apps containing proxy SDKs. The inexpensive devices are designed to sell the user’s internet connection to others without their knowledge.

The hackers scan for such devices, use proxy connections to bypass the home router firewall, and simply walk in, as there is no password protecting the ADB “open door.”

“Kimwolf’s scanning of proxy networks was at an unprecedented scale, with them holding the number one position many times for the most-targeted domain,” Syntient’s report reads.

The conversation on this topic is live. Join in the discussion.

Synthient’s Research Team estimates the botnet’s size to be “well above two million, with significant numbers in Vietnam, Brazil, India, and Saudi Arabia.”

TV BOX, HiDPTAndroid, and SMART_TV are among the top compromised devices.