Jérôme Meyer5d ago

RE: https://infosec.exchange/@deepfield/116244394158929162

Published our #Katana botnet analysis today. 30K+ bots on Android TV boxes compromised via unauthenticated ADB — no exploit needed, just a residential proxy subscription.

Some highlights:
- Compiles its own rootkit on $30 TV boxes
- The rootkit doesn't always work (rival botnets keep removing it)
- Blocks emacs on Android TV, just in case
- OOM score -1000: the kernel will kill Netflix before it kills the bot
- 80 XOR operations to arrive at a single byte

https://github.com/deepfield/public-research/blob/main/katana/report.md

#threatintel
#DDoS

Show threadJérôme Meyer

More seriously though, this is one of the symptoms of the fallout from the residential proxy + ADB vulnerability discovered by @synthient at the end of last year.

Several botnets are now competing for access and persistence on this vast pool of proxy exit nodes. This is just one of them (not the biggest).

Mar 17 at 12:52pmWeb