A botnet named ‘Pink’ infected over 1.6 million devices, according to security researchers who have been analyzing the malicious network for some time.
Pink has been used to launch over 100 DDoS attacks to date, making it the largest botnet that Qihoo 360's Netlab security team has observed in the wild for around six years.
Threats from hackers and botnets have ramped up in the past 18 months, with the rise of hybrid working making it harder for companies to secure all the weak points of their infrastructure. We explain what this botnet is doing, and how to protect against it.
What is the Pink Botnet Doing?
The botnet in question has been named ‘Pink’ by security researchers after a sample collected at the tail end of 2019 had a number of function names starting with pink.
It is estimated to have infected around 1.6 million people across the globe, with the vast majority (96%) located in China. This figure denotes the number of devices that are now botnet nodes, rather than the number of devices affected by the malicious behavior of Pink. Researchers observed over 103,000 nodes that were still active towards the end of October.
Researchers observed over 103,000 nodes that were still active towards the end of October 2021.
The Pink botnet has largely been focused on orchestrating DDoS (Distributed Denial of Service) attacks. DDoS attacks are often used to overwhelm a network, server, or organization with an unmanageable amount of traffic (which is also fake traffic), causing it to crash or become unusable to genuine visitors or users.
Pink has also been inserting advertisements into HTTPS traffic. Netlab, a security research team who've been tracking Pink, describes this process as “HTTP message injection”, stating that “on the victim device, advertising js scripts will be injected when traffic type is http”.
How Does the Pink Botnet Work?
Pink has been breaking into computers in China to add devices to its network, exploiting zero-day vulnerabilities in network gateways of broadband devices produced by specific corporations.
Netlab explained further in a blog post that “Pink targets mainly mips based fiber router, and has very strong and robust architecture, it uses a combination of third-party services, P2P and central C2s for its’ bots to controller communications”.
This combination has made Pink particularly resilient to takedowns and when device vendors have tried to address the issue, the botnet controller has published various firmware updates for the routers to maintain its control. Other commands allow Pink to download files, scan devices, and launch DDoS attacks.
All of Pink’s transmission channels that the botmaster uses to communicate with the network are fully encrypted, making it quite hard to prevent devices from being subsumed into the network.
What is a Botnet?
‘Botnet’ is short for ‘robot network’ that includes a large cohort of infected devices – often dubbed ‘Zombies’ – that take commands from a hacker. These devices have usually been chosen because they have some sort of exploitable gateway or a lack of security provision.
Post-infection, the zombie network nodes are used to spread the malicious code to other devices, expanding the network.
Botnets are used because a single actor working with one or two devices will already have their work cut out, and botnets allow you to launch larger assaults such as DDoS attacks (more on this later), which require numerous devices to create traffic overloads.
Hackers – called botmasters in this context – often follow the client-server botnet model, which involves the botmaster controlling the network from a central ‘command and control' server. This makes attacks slightly easier to orchestrate but also easier to detect.
The other model – peer-to-peer – allows every node in the network to operate as the command module and as a client node. Shutting down part of a peer-to-peer botnet will not necessarily stop or even hamper the botmaster. Pink, interestingly, has been found to be using peer-to-peer networks and a central command center for communications.
Protect Yourself Against Pink – And Other Botnets
Botnet Detection And Removal
Discovering you’re part of a botnet is not easy – it’s often not abundantly obvious if your device has been compromised. Slow and unstable connections and struggles whilst downloading updates could also be a sign.
The best thing you can do is download reliable antivirus software, scan your device, find the botnet malware, and remove it.
If you find out you are part of a robot network, replacing your clearly hackable router and switching your DNS provider will certainly help. However, the best thing you can do – particularly if you're a business dealing with sensitive information – is download reliable antivirus software, scan your device, find the botnet malware, and remove it.
Just remember, there could be another reason for your system’s poor performance, and besides, not all botnets affect system performance in noticeable ways. There are, however, free websites out there that can scan your device and determine whether you’re part of a robot network, like Kaspersky’s Simda Botnet IP Scanner.
Preventing Botnet Infections And Attacks
Of course, having antivirus software installed will help you prevent botnet attacks as well as to detect ones if your computer is already resigned to life as a zombie node. To give yourself the best chance of avoiding this eventuality, steer away from compressed files that need an unzipper for access. Avoid files without recognizable names and remember a file can still be an executable file without ending in ‘.exe’.
You should be very careful about what you download from torrenting sites, and only ever download apps directly from companies that designed and produced them, rather than third-party sites.
Another piece of tech that it’s worth investing in with botnets on the rise is a VPN. Due to the fact VPNs hide your IP address, they make it a lot harder for you to fall victim to a botnet’s attempted attacks.
The sheer size of Pink and the reaction from security researchers is quite concerning, so make sure you expand your knowledge and security structure – or risk becoming a zombie node yourself.