Bitdefender discovers new botnet Dark_nexus

[German]Security researchers from Bitdefender have discovered a new IoT based DDoS botnet and named it Dark_nexus. The authors advertise it on Youtube. The whole thing could become quite dangerous for the currently busy internet.


The botnet was named "Dark_nexus" because of a string in its banner. I have been notified by Bitdefender directly about the discovery of the botnet. Bitdefender's security researchers state that the new IoT botnet is very effective and puts many previously known IoT botnets and malware in the shadow.

Danger for the busy Internet

The botnet is currently still operational and, due to new features and capabilities, much stronger and more robust than comparable earlier versions. Due to its ease of use and advanced features, Dark_nexus poses a major threat to the currently busy Internet, which, in its current state, even a small botnet can cause considerable damage.

DDoS attacks via IoT botnet

Dark_nexus can potentially be used for DDoS attacks, i.e. the botnet can carry out denial of service attacks via different infrastructures by recruiting IoT devices all over the world.

To infect the devices, the botnet has a list of default credentials for such devices, which are then also used in brute force attacks. More than 50 percent of bots are spread across China, the Republic of Korea, and Thailand. Most compromised IoTs are located in Korea.

Dark_nexus Botnet infections
(Dark_nexus Botnet infections, Source: Bitdefender)


Advertising on YouTube

The botnet "Dark_nexus" was possibly created by "greek.Helios", a well-known botnet author who sells DDoS services and botnet code and also actively promotes Dark_nexus on YouTube. It is easy to use, costs the equivalent of only 17 Euro/month for 2500 seconds of bot time and can include up to 80 GBP for unlimited admin access.

Further analysis

Bitdefender's analysis showed that although Dark_nexus reuses some of the Qbot and Mirai code, its core modules are mostly original code. The botnet has already received numerous updates in the first three months of its existence.

Earlier versions also used exploits to spread, but Dark_nexus only propagates by brut-forcing the telnet protocol. This simple way delivers the largest number of breaches at low cost and with little effort. 

A detailed analysis of Dark Nexus with more detailed information is available in a whitepaper which can be downloaded here. The colleagues from Bleeping Computer have also published this article on the topic. 

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *