A newly-wormable Windows botnet is ballooning in size

Researchers say a botnet targeting Windows devices is rapidly growing in size, thanks to a new infection technique that allows the malware to spread from computer to computer.

The Purple Fox malware was first spotted in 2018 spreading through phishing emails and exploit kits, a way for threat groups to infect machines using existing security flaws.

But researchers Amit Serper and Ophir Harpaz at security firm Guardicore, which discovered and revealed the new infection effort in a new blog post, say the malware now targets internet-facing Windows computers with weak passwords, giving the malware a foothold to spread more rapidly.

The malware does this by trying to guess weak Windows user account passwords by targeting the server message block, or SMB — a component that lets Windows talk with other devices, like printers and file servers. Once the malware gains access to a vulnerable computer, it pulls a malicious payload from a network of close to 2,000 older and compromised Windows web servers and quietly installs a rootkit, keeping the malware persistently anchored to the computer while also making it much harder to be detected or removed.

Once infected, the malware then closes the ports in the firewall it used to infect the computer to begin with, likely to prevent reinfection or other threat groups hijacking the already-hacked computer, the researchers said.

The malware then generates a list of internet addresses and scans the internet for vulnerable devices with weak passwords to infect further, creating a growing network of ensnared devices.

Botnets are formed when hundreds or thousands of hacked devices are enlisted into a network run by criminal operators, which are often then used to launch denial-of-network attacks to pummel organizations with junk traffic with the aim of knocking them offline. But with control of these devices, criminal operators can also use botnets to spread malware and spam, or to deploy file-encrypting ransomware on the infected computers.

But this kind of wormable botnet presents a greater risk as it spreads largely on its own.

Serper, Guardicore’s vice president of security research for North America, said the wormable infection technique is “cheaper” to run than its earlier phishing and exploit kit effort.

“The fact that it’s an opportunistic attack that constantly scans the internet and looks for more vulnerable machines means that the attackers can sort of ‘set it and forget it’,” he said.

It appears to be working. Purple Fox infections have rocketed by 600% since May 2020, according to data from Guardicore’s own network of internet sensors. The actual number of infections is likely to be far higher, amounting to more than 90,000 infections in the past year.

Guardicore published indicators of compromise to help networks identify if they have been infected. The researchers do not know what the botnet will be used for but warned that its growing size presents a risk to organizations.

“We assume that this is laying the groundwork for something in the future,” said Serper.

Leave a Comment