Security researchers have spotted a new botnet malware that is turning infected devices into honeypots in order to ensnare new victims.
Dubbed ZHtrap by researchers at Qihoo 360’s Netlab network security division, the new botnet is based on Mirai IoT malware and supports x86, ARM, MIPS and other major CPU architectures. It compromises DVRs, CCTV cameras, Netgear routers, and Realtek-based devices by exploiting several known vulnerabilities, including CVE-2014-8361.
Once the ZHtrap commandeers a device, it prevents other rival malware from re-enfecting its bots by setting a whitelist that only allows already running system processes, blocking all attempts to run new commands.
In terms of functionality, the new malware has a number of capabilities common for these types of botnets, such as DDoS attacks and Telnet scanning, however, it also comes with a backdoor functionality that allows the ZHtrap operators to download and execute malicious payloads.
The most interesting part of ZHtrap is its ability to transform infected devices into a honeypot, a tool that is usually used by security researchers to capture and observe attacks on vulnerable systems. In this case the ZHtrap operators used a similar technique to achieve their own goals, specifically, to collect the IP addresses belonging to the scan and exploit bots operated by other botnets.
“ZHtrap will listen to 23 designated ports, and if it finds an IP connecting to these ports it will record it as a scanner IP, and all the recorded IPs will be scanned in its own scanning module, so that the target addresses used in the ZHtrap scanning process will have 2 sources - randomly generated IPs and scanner IPs captured by the above module,” the researchers explained.
The Netlab team said they discovered three ZHtrap versions so far, suggesting that the malware is still in a development stage.