AVrecon Malware Attacks Linux Routers And Create Botnet

Malware infected tens of thousands of routers undetected over a two-year period. The affected devices are used in smaller offices and by private users. Hijacked routers were used to set up a botnet.

Botnet built with 40,000 nodes

The malware goes by the name of AVrecon and is said to have infected more than 70,000 routers used in small and home offices (SOHO). Linux systems are installed on the affected devices. The botnet built consists of 40,000 nodes in 20 countries and allows the operators to carry out numerous criminal activities. With 15 command servers, hackers have been controlling the botnet since at least October 2021.

Attackers have the option to launch a remote shell and send arbitrary commands to infected routers. This can also be used to install other malware on the devices. According to Lotus Labs and Bleeping Computer, AVrecon doesn’t cause any disruptions and goes unnoticed by most users.

AVrecon uses port 48102 and accesses the routers via security gaps and trying out standard passwords. At the moment, however, it is unclear from which manufacturers the infected devices come. In contrast to other botnets, the operators hardly carry out DDoS attacks or crypto-mining activities in order not to take up too much bandwidth and remain undetected.

Security updates are necessary

If you want to protect yourself against AVrecon malware, you should restart your router regularly and install the latest security patches. In addition, the devices should be protected with a secure password.

Especially private users and employees in the home office only rarely concern themselves with the security of their router, as long as the connection works reliably. This may also be the reason why AVrecon mainly targets SOHO routers and was only discovered in very few cases. In larger offices, the devices are often better secured.

Leave a Reply