Researchers recently disclosed that the attacker used a Webmin application vulnerability on a Linux server to form a botnet named Roboto. Webmin is a web-based remote management application that has a vulnerability in older versions that could allow an attacker to run malicious code with root privileges and take over the application.
“We recommend that Webmin users take a look whether they are infected by checking the process, file name and UDP [User Datagram Protocol] network connection,” said NetLab 360 researchers in a Wednesday analysis. “We recommend that Roboto botnet-related IP, URL and domain names to be monitored and blocked.”
It is understood that the botnet may begin to form shortly after the vulnerability is disclosed. Currently, the botnet is still in the expansion phase, and even if it has the ability to launch DDoS attacks, it has never launched such attacks. In addition, the botnet can run Linux system commands, execute files downloaded from remote URLs, uninstall itself, and collect system, process, and network information from infected servers.
Experts point out that unlike conventional botnets, the devices in Roboto do not receive commands directly from hacking servers, but rather relay the command content from the devices that receive the commands. At this time, it is still impossible to estimate the size of the botnet.