Roboto Botnet Targets Linux Webmin Servers
Linux Webmin servers are under active attack by a newly-discovered peer-to-peer botnet, called Roboto. The botnet is targeting a remote code-execution vulnerability, CVE-2019-15107, in Webmin, a web-based system configuration tool for Linux servers. CVE-2019-15107 was patched on Aug. 17 and can be fixed by updating to Webmin 1.930. Webmin users should take a look whether they are infected by checking the process, file name and UDP network connection.
Researchers have been tracking Roboto for the past three months. It's not known how many Linux Webmin servers are being targeted. The targets could potentially be massive since there are over a million installations worldwide.
The Roboto botnet mainly supports many functions. Reverse shell allows hackers to execute commands on infected bots. It also has self-uninstall capabilities. Roboto has the ability to gather process network information, gather bot information, execute system commands, run encrypted files specified in URLs and launch distributed denial-of-service attacks. Researchers have yet to see a single DDoS attack command and the true purpose of Roboto is still unknown.
As a peer-to-peer botnet, Roboto operates without a command-and-control server. P2P botnets, including Hajime and Joanap, make it harder for researchers to target them since there's no centralized domains or servers to track. P2P botnets instead create a decentralized networks of infected devices, or bots, which talk to one another rather than a central server, typically employing custom protocols for communication that must be decrypted before they can be analyzed.
It's not the first time that Linux servers have been targeted by botnets. Muhstik, for instance, which has been around since March 2018 and has wormlike self-propagating capabilities, is known to compromise Linux servers and IoT devices, and then launch cryptocurrency mining software and DDoS attacks.