Hadoop Enterprise Servers Attacked by New DDoS Botnet

Feasting and growing in shadows, DemonBot DDoS has been slowly making its way to use the Apache Hadoop servers to execute future DDoS attacks.

Hadoop Enterprise Servers Attacked by New DDoS Botnet
DemonBot Malware Feasting on Hadoop Servers

A group of hackers targeted incorrectly configured Hadoop YARN components to embed DemonBot DDoS malware on the resource-rich servers of Apache Hadoop.

A new botnet has been slowly budding in the shadows, thriving on indiscreet servers of Apache Hadoop, and embedding bots on susceptible servers to be used for executing future DDoS attacks.

The botnet was first discovered in honeypot data by a researcher from NewSky Security while the malware was still in its initial stage, maturing and expanding in the meantime.

Initially, the botnet consisted of few control servers and few commands, but in a recent threat alert sent out by a cyber-security firm—Radware—says that botnet has now proliferated to a number over 70 servers.

These servers play a role of scanning the internet for Hadoop installations using an incorrectly configured YARN module.

Yet Another Resource Negotiator (YARN) is an underlying constituent of the Apache Hadoop data processing framework that is often used in cloud computing environments or large enterprises.

As soon as the botnet—DemonBot as named by Radware—finds a susceptible victim, it tries to take advantage of a YARN misconfiguration to fit a “bot” procedure on the exposed Hadoop system.

As per Radware, DemonBot is currently trying more than 1 million YARN exploits every day and growing tremendously in the past few months.

Pascal Geenens, cybersecurity connoisseur told in a recent interview that they have no count on infected Hadoop servers (actual bots). As the bots are not exploiting and scanning, they do not tend to generate noise (traffic) which they can detect and map out.

With the botnet’s total count remaining unknown, there is another major mystery that is yet to be disentangled. Instead of implementing cryptocurrency-mining malware that would with no doubt generate more profits and yield less legal problems, why would this botnet attack resource-rich servers like Hadoop and launch head-turning and vicious DDoS attacks?

All these points indicate that this botnet is a work of “skids”. “Skids” is a term used b cyber-security professionals to define malware sources who patch malware or botnets strain by using poor operational security and readily available scripts.

Earlier this month Ankit Anubhav who currently works at NewSky Security tweeted saying that this what exactly appears to have happened and this malware seems to be connected with the creators of Sora botnet who were further responsible for creating various other botnets, for instance, Anarchy, Owari, Omni, Anarchy and several others that were all used for DDoS attacks as well.

Answering the question of how the servers are getting attacked, both Geenens and Anubhav have hinted towards the same issue—an incorrect configuration in Hadoop’s YARN module that has been well-known for minimum two years.

As per the proof-of-concept code published on GitHub and ExploitDB, attackers allegedly access an internal API that was possibly left loose to the external connections. The exploit then uses the API to implement and run a routine YARN app exclusive to Hadoop’s server cluster and in DemonBot’s case, a DDoS potential malware strain.

Being utilized by the cross-functional Xbash malware over the summer, the exploit has been very widespread in the past few months.

Geenens further added to his statement that somethings are best kept secret and not meant to be exposed on the internet.

To ensure that the Hadoop servers are not shooting themselves in the foot, they should perhaps once revise YARN configuration as soon as possible.