MrBlack, first identified in May 2014 by Russian security firm Dr. Web, is a botnet that targets Linux OS and is designed to conduct distributed denial-of-service (DDoS) attacks. In May 2015, Incapsula clients suffered a large-scale DDoS attack which the company attributed to network traffic generated by tens of thousands of small office/home office (SOHO) routers infected with MrBlack. This massive botnet spans over 109 countries, especially in Thailand and Brazil.
MrBlack scans for and infects routers that have not had their default login credentials changed and that allow remote access to HTTP and SSH via port 80 and port 22, respectively. One of the most impacted router brands is Ubiquiti, a U.S.-based firm that provides bulk network hub solutions for internet service providers to lease to their customers. Once a vulnerable router is compromised and MrBlack is injected into the system, a remote server is contacted and system information from the device is transmitted. This allows the host server to receive commands in order to perform different types of DDoS attacks, download and execute files, and terminate processes.
|2021-12-19 ⋅ BleepingComputer ⋅ |
Exposed Docker APIs Abused by DDoS, Cryptojacking Botnet Malware
|2017-11-17 ⋅ LloydLabs ⋅ |
[Part 1] - Analysing the New Linux/AES.DDoS IoT Malware
|2015-12-03 ⋅ 360 Internet Security Center ⋅ |
Automatically Classifying Unknown Bots by The REGISTER Messages
MrBlack XOR DDoS DarkShell
|2015-09 ⋅ Virus Bulletin ⋅ |
DDOS TROJAN: A MALICIOUS CONCEPT THAT CONQUERED THE ELF FORMAT
Bashlite MrBlack XOR DDoS BillGates
|2014-05-15 ⋅ Dr.Web ⋅ |
DDoS Trojans attack Linux
There is no Yara-Signature yet.