Researchers Uncover 'Pink' Botnet Malware That Infected Over 1.6 Million Devices


Level 85
Thread author
Honorary Member
Top poster
Content Creator
Malware Hunter
Aug 17, 2014
Cybersecurity researchers disclosed details of what they say is the "largest botnet" observed in the wild in the last six years, infecting over 1.6 million devices primarily located in China, with the goal of launching distributed denial-of-service (DDoS) attacks and inserting advertisements into HTTP websites visited by unsuspecting users.

Qihoo 360's Netlab security team dubbed the botnet "Pink" based on a sample obtained on November 21, 2019, owing to a large number of function names starting with "pink."

Mainly targeting MIPS-based fiber routers, the botnet leverages a combination of third-party services such as GitHub, peer-to-peer (P2P) networks, and central command-and-control (C2) servers for its bots to controller communications, not to mention completely encrypting the transmission channels to prevent the victimized devices from being taken over.

"Pink raced with the vendor to retain control over the infected devices, while vendor made repeated attempts to fix the problem, the bot master noticed the vendor's action also in real time, and made multiple firmware updates on the fiber routers correspondingly," the researchers said in an analysis published last week following coordinated action taken by the unspecified vendor and China's Computer Network Emergency Response Technical Team/Coordination Center (CNCERT/CC).

Interestingly, Pink has also been found adopting DNS-Over-HTTPS (DoH), a protocol used for performing remote Domain Name System resolution via the HTTPS protocol, to connect to the controller specified in a configuration file that's either delivered either via GitHub or Baidu Tieba, or via a built-in domain name hard-coded into some of the samples.