The Kimwolf botnet is stalking your local network
krebsonsecurity.comHow is it not obvious to everyone reading HN that janky Android "TV" boxes (like the article references) are a by-default threat?
Like seriously, many of them are sold for stupid cheap prices like $5/ea. Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
Putting aside the copyright infringement aspect of it, to me it's extremely obvious "wait... _why_ am I paying so little here?".
No, it's not because movies and shows are 99.9999% profit (spoiler: they aren't), it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
You like having a credit card? That's precious, it's mine now.
Look at me, I'm the network now.
>you're _paying_ to install a backdoor that will rip and tear everything on your network it can*
How is this different from buying hardware and software from big market players?
they just steal different things
Brand damage; The big players have more to loose from being caught installing backdoors on devices sold to the general public, and will probably put in something in the T&Cs to deflect their responsibilities.
*Samsung Core Features has the chat.*
It's quite obvious to everyone here.
Why it's not obvious to every Senator and Representative in our Government is frustrating to an extreme.
We really do need to end our enhance our trade protections one way or another.
>Why it's not obvious to every Senator and Representative in our Government is frustrating to an extreme.
Why? How does this impact your life enough to be that frustrating?
Money talks
Some people love money more than they love you
> it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
I mean, maybe. More likely imo you're paying for the absolute cheapest hardware and fastest never-updated software someone could throw together and make _any_ profit on. Someone probably had 100k shitty little chips sitting in a warehouse and this was a way to do something with them.
The outcome is really the same, it's just the steps to get there are more human nature.
Even many TVs with "reputable" western brand names, on the shelf at major US retailers, are often sold at a loss on the hardware and the difference is made up by collecting advertising data.
https://www.broadbandtvnews.com/2024/11/18/tv-companies-sell...
> you just have to look at the finances of Vizio or Roku to see they’re selling TVs at somewhere between -3 and -7% margin
Wow those negative margins are WILD!
At a price tag of $5/ea the cost of just advertising and distribution exceeds the cost of the product itself. There is zero room for profit. The business model is installing back doors to the "clients" and stealing money, information, and anything else from them. Consider that even the cost of the included remote is a huge part of the actual hardware cost, and nobody is going to buy something like this without a remote.
Shit man my Pet Feeder setup a back door to my network.. ended up reverse engineering the entire tuya piece of shit just so I could keep the automatic feeder running.
Fucking everyone is spying. I started downloading and decrypting apps from the App Store. It’s a god damn nightmare. Random apps are storing keys in the keychain (thanks expo!) that never leave our apple account. They follow us forever. You can’t delete them. Well.. there’s one way but it involves backing up your phone, putting it in recovery mode, and restoring from backup.
> Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
I mean, it's pretty obvious the services are paid piracy. But it's got to cost something to pull VOD movies from wherever and serve them with an http server limited at 8 mbps even for content that exceeds that. Obviously someone doesn't want the content they stole to be easy to steal... too bad you can't reasonably play it either. :P
> However, shipping these devices with ADB turned on creates a security nightmare because in this state they constantly listen for and accept unauthenticated connection requests.
I'm confused. I intentionally use ADB over the network sometimes, and I have to explicitly interactively allow each adb client by its key. Are they shipping boxes with adb configured to just allow any connection without any verification?
I love how frequently Botnet creators reference Krebs. Like they are his biggest fans, and they just want a shoutout on his blog.
This is wild.
It must be crowded on these devices by now - it may be a bit misleading to think of it as a single botnet when there are multiple unrelated entities controlling the same devices via the same methods.
Very interesting! A tutorial to check if kimwolf is running on your network would be nice
Not exactly the answer but if you have one of the affected mentioned devices it should be listening on TCP port 5555. You can do a port scan for that.
Replace netmask as appropriate.nmap -Pn 192.168.0.0/16 -p 5555Now that it's publicly known I guess it's possible that they will close the door post-infection to avoid detecton. And it won't detect any other devices it's spread further to.
If you have a cheapo Android-based TV box or stick like the ones mentioned, throw it out or reflash it with Armbian after forensics.
I'm sure there are HN readers out there who have one of these. They were very popular a couple of years back.
Based on the article, try looking for android devices with adb running on the network.
This article[0] includes a link to a online checker: https://synthient.com/check
Have not tested it myself ymmv.
[0] https://synthient.com/blog/a-broken-system-fueling-botnets
It only references a database of publicly scanned IPs, it won't help you if the device is behind a nat router.
Does someone know if the port must be 5555 for this botnet?
It's the Android debugger port, and it's used for infection, but the article doesn't exclude other methods nor mentions ports used by the malware.
Well the first thing to check is, do you own and operate any of these janky Android "TV" boxes sold by companies nobody has heard of? If yes? Then there's probably your answer.
I couldn't really follow the technical details of the malware from the article, so I found what seems to be the first major report on the topic:
https://blog.xlab.qianxin.com/kimwolf-botnet-en/#network-pro...
That article has a more technical lens. It focuses primarily on the size and detection evasion methods of Kimwolf, rather than some notable (and definitely not unique) method of spreading.
Without looking too deeply, I'm going to assume that this is a successful botnet because it managed to get into product supply lines at big box stores and in app store games, rather than some clever virus that is spreading across the world.
I hope someone will correct me if I am mistaken!
What’s the deal with that seemingly random address written out as a domain name? Brian krebb’s home address?
14 emelia terrace west roxbury ma 02132 . su
As for your assumption the OP talks about how it uses residential proxies to get into lans, I don’t think it is a supply chain attack.
Krebs redacted the one that was his own home address. Certainly someone's home address: https://www.zillow.com/homedetails/14-Emelia-Ter-West-Roxbur...
So is there some catch all setting I can enable in my router to prevent my devices talking to eachother on the local network?
Heads up that even if you block local forwarding in the router, it won't always be enough to prevent devices talking to each other over, say, an unmanaged switch or a wifi link.
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.
I'm in the middle of setting up DD-WRT on an old router (I'd use OpenWRT if I could) just to play around with VLANs and AP isolation.
Instead of that I highly recommend either setting up a VM or picking up a $35 thin client and running OPNSense. After years of OpenWRT/DD-WRT I switched about 5 years ago and oh my god what a difference. You will spend basically 0 time on system maintenance and just focus on the actual networking stuff. It has more knobs than a basic router but the UI is excellent and there are very few bugs, if any.
In most shitty routers: no. They don't even have raw ability to do that.
You can look around for something like device isolation, but I doubt you'll find it unless you go a couple of steps up from whatever router ISPs ~give away these days.
My ISP's router has isolation. Has had for 5+ years. Main SSID has it off so we can do LAN stuff. Guest SSID is used for IoT things and isolation turned off. Handy.
What exactly does it isolate? An SSID? IP addresses? individual MAC addresses? How does this stop a pre-infected device you purchased from shitting traffic out of your network, acting as a residential proxy or try to own your other IoT devices?
The one I've seen on ~basic consumer routers just disallows wifi devices from talking to each other at all, it won't route between them. I usually need something more nuanced personally, but it's not a bad start at all.
Sometimes; I've seen it called client isolation or something like that. Or, yeah, if you can get under the hood it's probably as easy as one or two iptables rules (or nftables or whatever).
Is this true? For devices on the same subnet, I'm petty sure they don't even have to takl to the router. Maybe a managed switch can stop it, but I doubt most home routers have anything more than a dumb switch in them.
It depends™:) Yeah, if you have a dumb switch with devices plugged in, then the upstream router probably isn't relevant. But if you've got all devices on wifi running through a single box that's a router+switch+WAP+modem (very common in consumer home networking) then that single network box is in an excellent position to control devices talking to each other. YMMV.
Client isolation is a Wi-Fi feature, not an Ethernet feature. So a wireless client can't talk directly to another wireless client when client isolation is on.
Wired clients are unaffected.
usually lan devices do not talk to the router unless they need a resource outside your lan network
you can however isolate with vlans and a vlan capable switch, then it would be on the router to isolate traffic between lans (I do exactly this for my less trusted virtual machines)
How hard would it be to grab one of these little virus boxes and flash it with linux?
Well then you just have a very overpriced, extremely low power linux box that doesn't do what you want it to do
I know this may seem trivial for many here but how can regular people easily check and debug their network for stuff like this?
Regular people don't need a "secure network". Phones and computers are, by default, secure against malicious networks.
Just don't run code you download from the internet or put your passwords to important accounts into cheap devices and you'll be fine. Normally people don't the the former, but sometimes do the latter.
edit: To be clear: the bitterness in this comment comes from how many developers assume loopback is secure. However, most website are allowed to send requests to local ports on your computer (IIRC) so that assumption is basically completely false. This is forgivable, except in a world where every developer runs tons of extensions/scripts/open-source apps, and have next-to-zero blast-radius-reduction methods, it makes me sad.
Regular people download shit all the time though? Especially now with GPT, everyone is a programmer pasting code into command line. And how many people have IoT devices that they have to connect to WiFi? That’s total blind trust.
Every time I ask this question nobody is able to give me a solid answer :/
Based on the :/ emoticon, I now understand that you were asking this question for yourself. In that case, I will express anger at the article. I believe that it was vague and leaned into fear mongering. This explains the vagueness of your question (emphasis mind):
> I know this may seem trivial for many here but how can regular people easily check and debug their network for stuff like this?
"Stuff like this" is very vague.
- If there is a device on your network that is occasionally sending requests to the internet, then it generally isn't hurting you. That's why security is weak here, because the person buying the device is not harmed.
- If you're worried about the device sniffing your local network, then "normal people" are typically safe. Computers that you use are typically safe from malicious devices on the network, and you're in no more danger than working at a coffee shop, hotel, or university network.
- If you're knowledgeable enough to be a danger to yourself, and need the local network to be safe to protect yourself, then there is definitely a longer conversation to be had.
Responding point by point (before I realized that you were asking for yourself, and not the average person):
> Regular people download shit all the time though?
This is fair, though on macOS, most people download apps from the App Store (macOS makes it difficult to run apps downloaded from the internet and not signed by a registered developer).
> Especially now with GPT, everyone is a programmer pasting code into command line.
I am trying to reference a group of "regular people" who definitely do not fit this description---something like "the average citizen in the developed world". My parents definitely are not writing code with AI and pasting it into the command line. Although this was not crystal clear in this comment chain.
> And how many people have IoT devices that they have to connect to WiFi? That’s total blind trust.
My point was these devices do not endanger things that regular people care about. Their computers are still just as secure as when they visit a coffee shop or connect to their university wifi.
> Every time I ask this question nobody is able to give me a solid answer :/
for stuff like this?
Sure they can send requests but they can't receive them unless you've got misconfigured CORS. I guess there's DNS rebinding but like, idk, attack surface seems pretty small. This sort of stuff isn't really worth worrying about unless you're an idiot or likely to be the victim of a targeted attack. I happily run code off the internet all the time and it seems fine. If there's one thing that really seems like a mind virus it's the paranoia all security people get, I can't imagine living life like that. I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
Maybe I've just gotten lucky?
(i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
So, purely for example:
When you run VS Code, it spins up a local language server that is capable of making code changes. That is how refactoring python works in many editors (including VS Code).
A website that you're browsing could potentially send requests to this server asking for code to be inserted that fully compromises your device. What keeps us safe?
- maybe the website is only allowed to send GET requests, not PUT requests, and maybe the language servers that you're using are all "hardened" so that they will never permit mutations via any get requests, and never have a misconfigured CORS header
- the website has to guess the correct port and the correct language server with a known vulnerability
- any website doing this on a large scale would likely get the language server patched and the website on a block list
- there might be other safeguards that I'm not familiar with. For example, I believe that Chrome disallows this by default
So now, here's my frustration: these two statements seem hugely at odds with each other:
> I'm ok getting pwned every few decades if the tradeoff is never worrying about this shit.
> (i will say putting a device not running open source software/firmware or something very locked down like a phone on your LAN is insanity, i could never)
I'm ok with a person who makes either statement. I'm also ok with a person who makes the first statement, and also wants their LAN locked down. However, I do not feel as though the a LAN ever needs to be locked down unless a person in running a server on the LAN network. Personal devices (like laptops and phones) are plenty capable of resisting malicious networks by default (coffee shops, university wifi, etc). What else is on a LAN?
> mind virus it's the paranoia all security people get
I generally agree with you, but I feel as though I am the one who has accepted that personal laptops need to handle malicious networks, and I'm generally comfortable with that. I don't worry too much about putting IoT devices on the same network as my personal laptop, nor about connecting to coffee shop wifis.
> to relay malicious and abusive Internet traffic — such as ad fraud, account takeover attempts and mass content scraping
Oh no, let me get my tiny violin! Really hard to feel bad here. For most home users (that don’t expose anything sensitive on their LAN) these boxes are not a threat, seem to be doing a useful service in providing a superior streaming service that the balkanized official ones, and also shits on internet spammers/advertisers and frees up loginwalled content - sounds like a pretty good box really.
> sounds like a pretty good box really.
You can buy a better one that does not have malware installed. So these are complete and total garbage and no sane person should run them under any circumstance. Sounds like you have a bias which has prevented you from thinking about this clearly.
> You can buy a better one that does not have malware installed.
You can buy a better one if you have the technical know-how. But if you did you'd probably be running the *arr stack anyway and not need such a box. But these boxes do work and aren't any more of a threat than your usual public Wi-Fi for the casual user who does not expose any services to the LAN.
The alarm around them is less about the threat to its owner and more about the threat to the tech ecosystem at large... which considering how hostile it is to users, shouldn't really be something they have any reason to worry about.
Until all their accounts get pwned due to credential stuffing over this or a similar botnet - being the average person with weak, reused passwords?
The majority of accounts out there don't have anything of value. If it gets pwned the person just resets their password and calls it a day (in fact due to the lack of password manager their usual workflow is to reset the password anyway on each login since they never remember whatever variation of their shitty weak password they used).
I’d be nice to control where the money and content go. If I could, I’d strongly consider firing up an old raspberry pi or two.
Also, is there a better word than ad fraud? It needs an innocuous sounding euphemism like pretty much everything else involving that industry has. “Monetizing ad display”? “User-agent driven conversions?”
The actual industry lingo is "invalid traffic" :P