By GoldSparrow in Botnets

Echobot is one of the many botnets that were based on the Mirai botnet, a botnet that was quite active in 2016 and spawned numerous copycats after the arrest of its creators. Mirai, at some point, managed to infect more than two million devices. The creators of Mirai released the code for this botnet. Echobot is just one of the many botnets based on Mirai after its code became public.

How Echobot Carries Outs Its Attack

Echobot is nearly identical to the Mirai malware. As part of the Mirai Botnet attack, Linux will be installed on the infected device, as well as various applications such as a Web proxy and software used to carry out DDoS attacks. While Mirai was mostly limited to the so-called Internet-of-Things, or devices that are not personal computers, Echobot carries out attacks on a wider variety of targets and has software designed to exploit a large number of vulnerabilities. Once the victim's device has been compromised, it becomes integrated into the Echobot botnet, an enormous group of infected devices that can be used in coordination to carry out many attacks.

A Brief History of the Mirai Botnet, the Precursor of Echobot

The Mirai Botnet itself was quite lucrative to the criminals operating it, apparently a group of teen fraudsters. They were arrested in 2017. However, the code of Mirai Botnet was leaked and made available on the Web publicly. This has allowed numerous other criminals to create their own Mirai Botnet variants, which include threats such as the Satori Botnet, which is being used to target digital currency rigs currently, and the Hajime Botnet, which has more than 300,000 compromised devices. It seems that the initial intent of the Mirai Botnet attack was to make money off of Minecraft players in 2016, and the intent behind it was not as grand as what this threat ended up being. The initial Mirai Botnet attacks were against university network systems and attempting to bring down Minecraft servers to increase traffic to their own Minecraft servers specifically. The first Mirai Botnet attack targeted OVH, a French Minecraft server host. Unfortunately, the code for Mirai Botnet leaked, and it was soon used to target a far wider Net of devices.

Detailing Echobot Attacks

Typical targets of Echobot attacks include computers and routers, cameras and other devices. Echobot also can cause target vulnerabilities in commonly used enterprise software. Malware analysts studied Echobot's code and determined that Echobot is designed to exploit at least 26 different vulnerabilities to carry out its attack. Echobot also attempts to target vulnerabilities in software used in enterprise devices such as VMware NSX SD-WAN and Oracle WebLogic Server, apart from using common exploits in the Windows operating system and commonly used platforms. The specific targeting of these vulnerabilities makes it likely that Echobot attacks are designed to target businesses and higher-profile targets rather than individual computer users and home systems increasingly. However, home systems also are vulnerable to Echobot attacks and, in fact, many also have been compromised. Once a device has been compromised, it establishes a connection to the Echobot Command and Control server that sends an updated version of Echobot that is specific to the targeted system's operating environment.

The Danger of Echobot

Echobot's intent is still not clear. However, these botnets can be used for devastating attacks, leveraging the large number of infected devices. Some examples incorporate DDoS (Distributed Denial of Service) attacks, sending out massive quantities of spam email and money laundering operations. Computer users are advised to use strong security software, update all firmware and software, and use strong passwords, particularly on devices like routers that are commonly left unprotected relatively.


Most Viewed