A botnet operator needs somewhere to hide. KadNap found a way to hide in plain sight — inside 14,000 routers running live on the internet every day.
Researchers at Lumen’s Black Lotus Labs discovered the botnet last August, when the daily count of infected devices sat at roughly 10,000. That number has since climbed. The network now averages 14,000 compromised devices per day, the majority of them routers made by Asus. Researcher Chris Formosa told a technology publication that the concentration of Asus hardware likely reflects the operators obtaining a reliable exploit for vulnerabilities specific to those models — not zero-days, according to the announcement, but unpatched flaws that owners simply never fixed.
Most of the infected devices sit inside the United States, with smaller clusters in Taiwan, Hong Kong, and Russia.
Why This Botnet Is Hard to Kill
What separates KadNap from other botnets is its architecture. Most proxy botnets rely on centralized command-and-control servers — take down the server, disrupt the network. KadNap uses a peer-to-peer design built on Kademlia, a distributed hash table structure more commonly associated with BitTorrent and the Inter-Planetary File System. There is no single server to seize.
Instead of IP addresses, the network uses 160-bit hashed keys and node IDs. When a compromised device needs instructions, it queries neighboring nodes using XOR distance — a mathematical proximity measure — working closer and closer until it finds a node that recognizes its passphrase. That node then delivers two things: a command to block port 22, and the address of the actual command-and-control server.
Formosa described the process directly: “You first reach out to some entry bittorrent nodes and basically say ‘hey I have this secret passphrase. I’m looking for who to give it to.’ So you give it to a couple of nearby neighbors and they say ‘ah ok I don’t fully understand this passphrase but it’s kind of familiar and here are some people who may know what that means.'” The chain continues until a node responds: “Yes! This is my passphrase, welcome in.”
The design means the only theoretical path to full takedown is severing every connected node simultaneously. As long as one node remains, the network can route around the gap.
What the Network Actually Does
Infected routers are conscripted into Doppelganger, a fee-based proxy service that tunnels paying customers’ internet traffic through the residential connections of people who have no idea their hardware is involved. The service provides cover for cybercrime by making malicious traffic appear to originate from ordinary home broadband addresses.
Despite the architecture’s resistance to conventional takedown methods, Black Lotus Labs says it has developed a way to block all traffic flowing to or from the botnet’s control infrastructure. The lab is distributing indicators of compromise to public feeds so other defenders can cut off access at their own networks.
Researchers Formosa and colleague Steve Rudd wrote that the operators’ intent is explicit: “avoid detection and make it difficult for defenders to protect against.” The patch that would have kept most of these routers clean was available. The owners never applied it.
This article is a curated summary based on third-party sources. Source: Read the original article
