This hacker operated a massive IoT botnet for 8 years just to download Anime movies


Hacker named Cereals operated a massive 10,000 Internet of Things botnet just to download Anime videos

A hacker named Cereals operated a massive botnet of 10000 hacked Internet of Things devices for nearly eight years before being caught by security researchers. First spotted in 2012, Cereals hijacked into D-Link NVRs (network video recorders) and NAS (network-attached storage) devices and turned them into a botnet that had the sole purpose of connecting to online websites and download anime videos.

Cereals botnet reached its peak in 2015 when it amassed more than 10,000 bots. Despite of being spotted in 2012, Cereals remained out of the purview of authorities and security researchers because he was silent and used the botnet only to connect to Anime websites for downloading their videos.

How did Cereals hack D-Link NVRs and NAS devices?

According to a report published by Forcepoint, the Cereals botnet was unique in its modus operandi because it exploited just one vulnerability (only in D-Link NVRs and NAS devices) during all its eight-year life. Cereals exploited a zero-day in D-Link’s SMS notification feature for updating D-Link firmware on NVRs and NAS. The zero-day allowed wannabe hackers to exploit the flaw to gain full control of the device. In particular, an undocumented functionality granted the privilege to execute arbitrary commands, displaying their output in the generated HTML page.

Cereals send a malformed HTTP request to a vulnerable device’s built-in server and execute commands with root privileges fully exploiting the zero-day. According to Forcepoint, Cereals scanned the Internet for vulnerable D-Link devices and then sent the malware which forced them to visit Anime websites and download videos.

Cereals’ malware was quite complex despite exploiting just one vulnerability. The Cereals botnet maintained as many as four backdoor mechanisms to access infected devices. This way it was not only prepared to take advantage when and if D-Link patched one backdoor but it also attempted to patch systems to prevent other attackers from hijacking the systems Cereals had hacked. Cereals botnet¬†managed infected bots across twelve smaller subnets.

What happened to Cereals Botnet?

According to Forcepoint, Cereals botnet is dying a natural death. The primary reason for its death is that the vulnerable D-Link devices on which it fed all these years are no longer in use. Cereals botnet’s demise was further accelerated when a ransomware strain named Cr1ptT0r wiped the Cereals malware from many D-Link systems in the winter of 2019.

As of today, only a few of the Cereals botnets exist. Forcepoint says that the D-Link NVRs and NAS devices in existence are still vulnerable to the same flaw that Cereals exploited.

Cereal’s botnet – An Anime hobby

Forcepoint pointed out that during its lifetime of eight years, Cereals botnet never ventured into anything malicious other than visiting anime websites and downloading videos. The botnet seems to the creation of a German individual named Stefan who most likely was an Anime fan and had created the botnet as a hobby.

Stefan never used the Cereals botnet to execute DDoS attacks nor did he steal the data stored on the hacked D-Link NAS and NVR devices.


About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments