Roboto – Not Just A Styx Song

Roboto. It’s a newly discovered botnet discovered by Netlab. (You can view the details of the code and botnet here.)

Roboto is currently targeting Linux servers that are running vulnerable Webmin apps. It first appeared this summer and can be connected to a slew of servers that were disclosed to have major security flaws. This basically created a perfect weapon for a botnet, one that merely needed to be loaded. 

The team at Webmin disclosed the security flaw in August. Webmin is a web based management app for Linux systems. They patched the software, but not before attackers ran malicious code using root privileges. They were able to take over older Webmin versions.

Almost immediately after the flaw was disclosed the attacks began. This reminds us of how disclosing ways to tell if something is a deepfake only helps further sophisticate deepfake tools. When you disclose a security flaw, you are notifying not only those that are insecure, but those that might take advantage of that insecurity.

Roboto has continued to target this vulnerability for over three months now. The focus appears to be one of expansion. As Roboto grows, it is also growing in complexity. 

Roboto, once installed on a hacked Linux system, has the ability to:
(Source: ZDNet)

  • Function as a reverse shell and let the attacker run shell commands on the infected host
  • Collect system, process, and network info from the infected server
  • Upload collected data to a remote server
  • Run Linux system() commands
  • Execute a file downloaded from a remote URL
  • Uninstall itself


Those issue are common in many attacks. What makes Roboto unique is its internal structure. See below image.



There is no centralized control center for Roboto, making it, as it grows, extremely hard to shut down. This could make it extremely dangerous as it grows. And it is growing as much as 95,000 bots a day.

Get secure and get that patch in!