Pink Botnet Infects More Than 1.6 Million Devices
Researchers from Netlab Qihoo 360 have reported the discovery of the largest botnet in the past six years. The Pink malware has already infected over 1.6 million devices, with the vast majority (96%) located in China. The operators of this botnet use the infected devices to carry out DDoS attacks and inject advertisements into HTTP websites. To date, the botnet has been responsible for at least 100 DDoS attacks.
How the Pink Botnet Operates
According to experts, Pink has been active since November 2019. The malware primarily targets MIPS routers and utilizes various third-party services, including GitHub, as well as P2P and centralized C&C servers to connect bots with operators and transmit commands. Pink also uses DNS-Over-HTTPS to connect to a server specified in its configuration file, which is sometimes delivered via GitHub or Baidu Tieba (in some cases, the domain name is hardcoded).
Analysts note, βThe Pink operators fought with the provider for control over the infected devices: while the provider made repeated attempts to fix the issue, the master bot detected the providerβs actions in real time and repeatedly updated the router firmware accordingly.β
Spread and Persistence
According to another Chinese company, NSFOCUS, the malware spreads by exploiting zero-day vulnerabilities in network devices. Although a significant portion of these devices has since been patched and restored, the botnet remains active and currently consists of at least 100,000 devices.
Sources and Additional Information
- Additional research: NSFOCUS