On November 21, 2021 researchers from 360NetLab obtained a sample of yet the biggest observed botnet. It got the name Pink because of its functions starting with the word pink. During peak time PinkBot had control over 1.6 million devices with most of them (96%) located in China. Having very robust architecture it targets mainly mips based fiber routers. Botnet uses a mixture of third-party services, P2P and central C2s for its’ bots to control communications. With an absolute verification of the C2 communications it ensures that Botnet nods won`t be easily disconnected or taken over.
The biggest botnet could gain control of over 1.6 million devices
On the 30th of November, 2019 unnamed security partner informed the 360NetLab that they detected 1,962,308 unique daily active IPs from this botnet striking them. Researchers’ own observance showed the number of 1.65 million. The most concentration took place in China (96%) spreading across 33 provinces. Those affected carriers include China Telecom (>15%) and China Unicom (>80%).
From the data calculated in numerous dimensions such as NetFlow data, active probing, and real-time monitoring, the number of Bot node IP addresses connected with this botnet surpasses 5 million. As home broadband IPs are dynamically assigned, the correct size of the infected devices behind them cannot be precisely calculated, and it is assumed that the real number of infected devices is in the millions.
“One of the main bases of the measurement is that the number of IPs connected to C2 in one minute was well over one million,” according to a report by National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC).
The PinkBot traces on Github
Researchers traced the PinkBot back to October 16, 2018. At that time its creators had pink78day account on Github. Now the attacker closed the account. Currently mypolo111 created in late November 2019 exists on Github. The hacker can in an instant change an account by just adding on a new transaction record to its BTC wallet. So you can’t just block the account. You must block the specified BTC wallet to disrupt the PinkBot. The attacker also used a Chinese website to distribute the Botnet with logic similar to the Github project.
A botnet (short for “robot network”) means a network of computers infected with malware that a single party can remotely gain control of. Each individual machine in the control goes by the name bot. An attacker can command bots to perform various criminal actions. Usually it includes DDoS attacks, targeted intrusions, email spam and financial breach. Besides hackers even can rent access to sections of their botnet on the black market.