An alarming discovery has shaken the cybersecurity world: a botnet composed of 14,000 routers and other network devices, primarily from the Asus brand, has been infected by malware highly resistant to removal operations. The research, conducted by security experts, reveals the existence of KadNap, malware that exploits unpatched vulnerabilities to create an anonymous proxy network used for online criminal activities.
The Nature of the KadNap Threat
The KadNap malware establishes itself by exploiting device vulnerabilities, particularly in Asus routers, likely due to a reliable exploit acquired by the botnet operators. The botnet, which counts about 14,000 infected routers per day, up from 10,000 in August, operates primarily in the United States, with significant presences in Taiwan, Hong Kong, and Russia. One of KadNap's distinctive features is its sophisticated peer-to-peer design based on Kademlia, a network structure that uses distributed hash tables to hide command and control server IP addresses. This design makes the botnet resistant to detection and removal through traditional methods.
Researcher Chris Formosa of Black Lotus Labs emphasized that the intent of KadNap's creators is clear: to avoid detection and make defense difficult for protectors. Distributed hash tables have long been used to create robust peer-to-peer networks, such as BitTorrent and the Inter-Planetary File System. Instead of having centralized servers directly controlling nodes, DHTs allow any node to query other nodes for the device or server it is seeking. This decentralized structure and the replacement of IP addresses with hashes give the network resilience against takedowns or denial-of-service attacks.
How KadNap Works
Kademlia uses a 160-bit space to designate keys and node IDs, both assigned to each node. Nodes then store the keys of other nodes, organized based on their similarity to the ID of the node storing them. Proximity is measured by XOR distance, a mathematical method for mapping a network. When a node queries another node, it uses this metric to locate other nodes with the closest distance to the key it is seeking, until it finds a match. KadNap, a variant of Kademlia, obtains the key to search for via a BitTorrent node. Formosa explained that DHTs help get progressively closer to a target. You first reach some entry BitTorrent nodes and say, "hey, I have this secret passphrase. I'm looking for who to give it to." The passphrase is then given to some "neighbors" who say, "ah okay, I don't fully understand this passphrase, but it's familiar and here are people who might know what it means." The process continues until reaching someone who says, "Yes, this is my passphrase, welcome."
Implications and Countermeasures
Despite its resistance to traditional removal methods, Black Lotus has developed a way to block all network traffic to or from the control infrastructure. The lab is also distributing indicators of compromise to help other parties block access. Infected devices are used to carry traffic for Doppelganger, a paid proxy service that channels customer internet traffic through the internet connections, primarily residential, of unsuspecting people. To protect your devices, it is crucial to reset them to factory settings, as KadNap stores a shell script that runs upon router reboot. Furthermore, it is necessary to ensure all firmware updates are installed, that administrative passwords are strong, and that remote access is disabled unless necessary.
Sponsored Protocol