A botnet (English botnet , IPA: [ˈbɒtnɛt]; derived from the words ro bot and net work ) is a computer network consisting of a number of hosts, running bots - autonomous software. Most often, a bot in a botnet is a program that is secretly installed on a victim's device and allows an attacker to perform certain actions using the resources of an infected computer. They are usually used for illegal or disapproving activities - sending spam, brute-force attacks on a remote system, denial of service attacks (DoS and DDoS attacks). (Wikipedia)
Hackers who wanted to create their own Reaper botnet and downloaded an IP scanner for this could load a little more on their systems than they would like.
A few weeks ago, the world recognized the Reaper botnet. It differs from others in that its operators use an IP scanner to search for vulnerable devices of the Internet of Things (IoT), and only then, using exploits for various vulnerabilities, install the Reaper malware on them. For example, operators Mirai and Hajime used brute force attacks to hack IoT devices.
The hype surrounding Reaper was exploited by an enterprising scammer who realized that script kiddies who dreamed of becoming hackers would rush online in search of tools to create their own botnets. The scammer has created a website that advertises an IP scanner. This scanner is a PHP script that reads IP addresses from the local text file poop.txt, checks for a GoAhead server on the devices, and writes any positive results to the GoAhead-Filtered.txt file.
Those who wanted to create their own botnet were interested in the script, because with it they could identify devices with GoAhead servers (usually IP cameras for video surveillance). Inexperienced or inattentive hackers who did not pay attention to the source code of the scanner might not have noticed that most of the PHP script was obfuscated with a whole wall of random characters.
The problem was discovered by senior researcher at NewSky Security Ankit Anubhav. According to the expert, the script was encrypted several times using ROT13 and base64 and compressed using the gzip utility. After decompiling the code, Anubhav discovered a backdoor that was easily overlooked due to the obfuscation of the code.
As the researcher explained, the code has four parts. The first is the promised full-featured IP scanner. The second part runs Bash commands that add an additional user to the Linux server where the victim was executing an IP scanner script. The third part authorizes the victim's IP address on the remote server. The fourth part downloads and runs the Kaiten malware on a server with an IP scanner installed. Thus, hackers wishing to create their own Reaper botnet became part of the Kaiten botnet.
At the time of this writing, the website advertising the IP scanner was no longer working, however, according to Anubhava, scammers continue to sell their product on hacker forums.
