The Kimwolf Botnet Is Stalking Your Local Network(krebsonsecurity.com)

34 pointsby SamValYlieRcHE219 hours ago4 comments

BloodyIron2 hours ago
How is it not obvious to everyone reading HN that janky Android "TV" boxes (like the article references) are a by-default threat?
Like seriously, many of them are sold for stupid cheap prices like $5/ea. Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
Putting aside the copyright infringement aspect of it, to me it's extremely obvious "wait... _why_ am I paying so little here?".
No, it's not because movies and shows are 99.9999% profit (spoiler: they aren't), it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
You like having a credit card? That's precious, it's mine now.
Look at me, I'm the network now.
haburka3 hours ago
I love how frequently Botnet creators reference Krebs. Like they are his biggest fans, and they just want a shoutout on his blog.
pamcake9 hours ago
This is wild.
It must be crowded on these devices by now - it may be a bit misleading to think of it as a single botnet when there are multiple unrelated entities controlling the same devices via the same methods.
ConorSheehan114 hours ago
Very interesting! A tutorial to check if kimwolf is running on your network would be nice
- BloodyIron2 hours ago
  Well the first thing to check is, do you own and operate any of these janky Android "TV" boxes sold by companies nobody has heard of? If yes? Then there's probably your answer.
- pamcake9 hours ago
  Not exactly the answer but if you have one of the affected mentioned devices it should be listening on TCP port 5555. You can do a port scan for that.
  nmap -Pn 192.168.0.0/16 -p 5555
  Replace netmask as appropriate.
  Now that it's publicly known I guess it's possible that they will close the door post-infection to avoid detecton. And it won't detect any other devices it's spread further to.
  If you have a cheapo Android-based TV box or stick like the ones mentioned, throw it out or reflash it with Armbian after forensics.
  I'm sure there are HN readers out there who have one of these. They were very popular a couple of years back.
- nubinetwork14 hours ago
  Based on the article, try looking for android devices with adb running on the network.
  - thenthenthen13 hours ago
    This article[0] includes a link to a online checker: https://synthient.com/check
    Have not tested it myself ymmv.
    [0] https://synthient.com/blog/a-broken-system-fueling-botnets
    nubinetwork13 hours ago
    It only references a database of publicly scanned IPs, it won't help you if the device is behind a nat router.
  - HappyPanacea9 hours ago
    Does someone know if the port must be 5555 for this botnet?
    tgv5 hours ago
    It's the Android debugger port, and it's used for infection, but the article doesn't exclude other methods nor mentions ports used by the malware.