Roboto Botnet: What do We Know About the Awaiting Attack?

A newly-discovered botnet is taking over the Internet — Roboto Botnet. Though it’s not as big botnet attack as Cutwail (a spam botnet) or Storm


A newly-discovered botnet is taking over the Internet — Roboto Botnet. Though it’s not as big botnet attack as Cutwail (a spam botnet) or Storm (a peer-to-peer botnet), Roboto is quickly spreading among the web servers using Linux.

So, what’s the danger? What’s causing the attack? And how can you stay safe? Let’s discuss all these questions in order to get to know Roboto Botnet.

What is Roboto Botnet?

Roboto Botnet is a newly-discovered peer-to-peer botnet. It’s known to target a remote code execution vulnerability in Linux Webmin. That means the servers running Linux and using Webmin are at a huge risk of getting compromised!

But wait, what’s a Botnet? In case you’re wondering about botnets, “a botnet is nothing more than a string of connected computers coordinated together to perform a task. That can be maintaining a chatroom, or it can be taking control of your computer. Botnets are just one of the many perils out there on the Internet. What you need to be careful of are the illegal and malicious botnets. What happens is that botnets gain access to your machine through some piece of malicious coding. In some cases, your machine is directly hacked, while other times what is known as a “spider” (a program that crawls the Internet looking for holes in security to exploit) does the hacking automatically,” according to Symantec — the popular security firm.

Which Vulnerability does it Target?

Roboto Botnet targets a remote code execution bug in Webmin for Linux. It’s using the popularity of Webmin to quickly spread to thousands of servers.

What is Webmin? Webmin is a web-based system administration utility for multiple platforms including Linux, Unix, as well as Windows. It’s mostly used for configuring and managing the system from the console or remotely via a web interface. In simple words, it’s a “control panel” for managing the system and a host of apps and services like Apache HTTP Server and Postfix Mail Server.

What is this vulnerability? The vulnerability (CVE-2019-15107) was already fixed in August, but yet, it’s not patched in thousands of web servers connected to the Internet. It’s a classic example of a 1-day attack, wherein, the attackers target a known and fixed but not yet patched vulnerability. They take advantage of the lazy web admins who are slow in updating and patching their web servers.

Why is it Named Roboto Botnet?

The botnet was first discovered by 360 Netlab — a network security research lab. Their 360Netlab Unknown Threat Detection System discovered a suspicious file on 26th August, which they described as a peer-to-peer bot program.

Later on, they discovered another suspicious sample, which emerged to be a download program. This download program downloads the bot program from two web locations. And one of these locations disguised the bot program as “roboto.ttc” — a popular web font on Google Fonts. Since this was the only early-known clue, 360 Netlab decided to name the botnet as “Roboto Botnet”.

How Roboto Botnet Works?

Roboto Botnet mainly supports 7 functions: reverse shell, self-uninstall, gather process' network information, gather Bot information, execute system commands, run encrypted files specified in URLs, DDoS attack, etc. At the same time, it also uses Curve25519, Ed25519, TEA, SHA256, HMAC-SHA256 and other algorithms to ensure the integrity and security of its components and P2P network, create the corresponding Linux self-starting script based on the target system, and disguise its own files and processes name to gain persistence control,” according to 360 Netlab — the network security research firm who discovered this botnet.

What’s more interesting? Roboto Botnet supports DDoS as well, though it’s not its primary goal, reports 360 Netlab. Although it supports DDoS, 360 Netlab has not been able to capture an attack command to clearly inspect its features.

Roboto Botnet is carefully crafted and developed as malicious software. Its programs are well-designed around functionality as well as security. They talk to each other using necessary algorithms to ensure data integrity and security. For example, a peer only connects to a bot if the incoming request is consistent with the peer’s public key, then it uses its public key to calculate the SharedKey.

Then, it performs signature verification for every attack command to ensure each command is genuine and the peer-to-peer network is not taken over by a third party (say, a security research firm). The attackers behind Roboto Botnet adopted various mechanisms to make sure that they’re the only ones controlling the botnet. That’s why a node only accepts and executes signed commands.

How to Defend against Roboto?

First of all, you must do the most important thing: you should update Webmin for Linux. Webmin 1.930, which was released on 17th August 2019, patched the security vulnerability that forms the biggest resource for the Roboto Botnet. If your systems are still not infected, Roboto won’t be able to do any harm.

However, you must also test your systems to ensure you’re not already infected by the Roboto Botnet. But, it’s not an easy process. So, let’s check the details.

1. Check for its Addresses

There are various domain names and web addresses that you must check for in your server. If your server is connecting or had ever connected to any one of these addresses, your web server is probably compromised, unfortunately!


●        95.216..17.209:57935







2. Check for its Processes

Roboto fakes as numerous processes in order to hide its identity. You must ensure that your server is not running any one of the following processes. If your server has a running process with one of these names, it’s probably infected.

●        /sbin/rpcbind

●        /usr/bin/python

●        upstart-socket-bridge

●        /usr/sbin/irqbalance

●        /lib/systemd/systemd-udevd

●        /usr/libexec/postfix/master

3. Check for its File Names

Roboto downloads its additional programs as files on the storage or creates its configuration files. So, you must check for these files on your web server. If your web server has one of these files present on its storage, it’s already infected.


●        .node_repl_history.gz

●        $home/.config/trolltech.conf

●        /etc/iproute2/rt_ksfield

That’s all to know about Roboto Botnet. If you’re using Webmin, you must update your system to Webmin 1.930 to stay safe. Did you find this post help

TAGS: Bots, Robots, Roboto Botnet