A botnet targeting Windows computers is growing rapidly by guessing weak passwords for computers connected to the Internet. The malware uses a rootkit that makes it difficult to detect.
The Purple Fox malware was first spotted in 2018 when it infected more than 30,000 computers as a trojan. Until recently, the malware only spread through exploit kits and phishing emails, like most other malware does. Now, the malware can also spread by guessing the server message block password from Internet-connected Windows computers via brute forcing. As a result, the malware is now rapidly spreading across Windows computers with weak passwords and hashes.
The discovery was made by researchers Amit Serper and Ophir Harpaz of Guardicore Labs. In a blog post, the two write how the malware gains access to vulnerable computers via the SMB, which is used by Windows to communicate with printers and file servers. If the malware has access, it pulls the necessary payload from a network of 2,000 older and vulnerable Windows web servers and silently installs a rootkit, making it difficult to remove and discover.
Attack path of the malware. Image: Guardian Labs
Once the computer is infected, the malware closes all ports in the firewall that it used to infect the computer, preventing it from re-infecting and allowing access to be misused by others. Immediately afterwards, the malware generates a list of Internet addresses and scans the Internet for more devices to infect via weak passwords, creating a growing botnet.
Botnets are generally used to carry out ddos attacks, the kind of attacks that recently wreaked havoc when a series of ddos attacks hit TransIP. However, botnets can also be used to spread malware and spam, or for ransomware. It is not yet known exactly what this malware wants. Speaking to TechCrunch, Serper says he expects the botnet to lay a foundation for something bigger in the future. The malware growth peaked in May last year, but the number of infected devices is still increasing.
Growth of Purple Fox malware. Image: Guardian Labs