- Aug 17, 2014
For almost a year, a threat actor has been using zero-day vulnerabilities to install malware on Tenda routers and build a so-called IoT (Internet of Things) botnet.
Named Ttint, this botnet was first detailed in a report published on Friday by Netlab, the network security division of Chinese tech giant Qihoo 360.
But unlike the myriad of IoT botnets of its kind spotted in the past, Netlab researchers said Ttint was different on several levels.
It didn't just infect devices to perform DDoS attacks, but also implemented 12 different remote access methods to the infected routers, used the routers as proxies to relay traffic, tampered with the router's firewall and DNS settings, and even gave attackers the ability to execute remote commands on the infected devices.
"Two zero-days, 12 remote access functions for the router, encrypted traffic protocol, and infrastructure [...] that that moves around. This botnet does not seem to be a very typical player," Netlab said on Friday.
Ttint is a new form of IoT botnet that also includes remote access tools-like (RAT) features, rarely seen in these types of botnets before.