Botnets made up of thousands of infected routers are difficult to remove – however there is an effective method for combating them.

New persistent botnet KadNap discovered

*Researchers from Black Lotus Labs (Lumen) identified a malicious network that continues to operate despite attempts to remove it.*

What was found
- The KadNap botnet affected about 14,000 routers and other networking devices, most of which were manufactured by Asus.

- The virus spreads through vulnerabilities that have not been patched by equipment owners.
Most infected devices are Asus models because attackers found a reliable exploit specifically for this line.

Threat assessment
- Researchers consider the use of zero‑day exploits (unknown vulnerabilities) unlikely.

- In August last year, 10,000 devices were already infected, most located in the United States. Several hundred cases have also been detected in Taiwan, Hong Kong, and Russia.

How it works
KadNap uses a Kademlia peer‑to‑peer architecture – distributed hash tables that hide the IP addresses of command‑and‑control servers. This makes the botnet difficult to detect and almost immune to traditional removal methods.

> “The botnet stands out because instead of anonymous proxies it uses a decentralized peer network,” note Chris Formos and Steve Radd from Black Lotus in the Lumen blog.
> “The attackers’ intention is to avoid detection and complicate the work of information security specialists.”

How they respond
- Despite resilience against conventional blocking methods, Black Lotus has developed a way to sever all network traffic between the botnet’s command infrastructure and other nodes.

- The team publishes compromise indicators in open sources so that other organizations can quickly block access to KadNap.

Thus, KadNap is a complex, decentralized botnet that exploits Asus vulnerabilities and uses a peer network to conceal its control. However, Lumen specialists have already found a way to halt its spread and provide tools to protect networks from further infection.