{
	"id": "496fc1fc-db31-4e1b-82a3-376ef1ed785d",
	"created_at": "2026-04-06T00:21:59.749054Z",
	"updated_at": "2026-04-10T13:11:23.691968Z",
	"deleted_at": null,
	"sha1_hash": "a71fb15447f09a83396d2ca63c1f46ebc39529e7",
	"title": "Fbot is now riding the traffic and transportation smart devices",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 937824,
	"plain_text": "Fbot is now riding the traffic and transportation smart devices\r\nBy Genshen Ye\r\nPublished: 2021-03-03 · Archived: 2026-04-05 17:37:18 UTC\r\nBackground\r\nFbot, a botnet based on Mirai, has been very active ever sine we first blogged about it here[1][2], we have seen\r\nthis botnet using multiple 0 days before(some of them we have not disclosed yet) and it has been targeting various\r\nIoT devices, now, it is aiming a new category, traffic and transportation smart devices.\r\nOn February 20, 2021, the 360Netlab Threat Detection System captured attackers were using a remote command\r\nexecution vulnerability (CVE-2020-9020)[3][4] in the Vantage Velocity product from Iteris to spread Fbot botnet\r\nsamples.\r\nAccording to Wikipedia[5], Iteris, Inc. provides intelligent mobile infrastructure management services and\r\nproduces sensors and other devices that record and predict traffic conditions.\r\nBased on the AIrLink GX450 Mobile Gateway production information found on the affected devices, we\r\nspeculate that the affected devices are roadside monitoring device.\r\nCVE-2020-9020 Vulnerability Analysis\r\nThrough the 360 FirmwareTotal system, we verified and analyzed the CVE-2020-9020 vulnerability, here is the\r\nbrief.\r\n1. Vantage Velocity product synchronizes With NTP Server, where user can set the specified ntp server\r\naddress.\r\n2. The timeconfig.py script does not filter the htmlNtpServer variable after accepting a user Web request,\r\ni.e., it is spliced into the shell variable format \"ntpserver=\" + form[\"htmlNtpServer\"].value.strip()\r\nand written to the /root/timeparam file.\r\n3. The command execution vulnerability is triggered when the timeconfig.py script calls the shell script\r\n/root/ntpconfig , which reads the /root/timeparam file to initialize the variable ntpserver.\r\nVulnerability impact scope\r\nThe 360 Quake cyberspace mapping system found the specific distribution of Vantage Velocity devices by\r\nmapping assets across the network as shown in the figure below.\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 1 of 8\n\nFbot botnet\r\nFbot is a botnet based on Mirai, with 2 main changes\r\nEncryption algorithm\r\nRegistration packets, heartbeat packets\r\nThe basic information of this sample is shown below:\r\nMD5:deaee7ada44bf1c6af826d2d170c8698\r\nELF 32-bit LSB executable, ARM, version 1 (SYSV), statically linked, stripped\r\nPacker:None\r\nIt has no added features in itself, the main function is\r\nDDoS attack\r\nTelnet scanning\r\nThe following section will briefly analyze around the above functions.\r\nDDoS attack\r\nFirst Fbot establishes a connection with the hardcoded C2 (198.23.238.203:5684) via the following code snippet.\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 2 of 8\n\nThen it sends a 78-byte long registration message to C2\r\nThe network traffic generated in practice is shown below.\r\nThe information in the registration packet is used to verify the legal identity of the BOT, and the format of the\r\nregistration packet is parsed as shown below.\r\nMain field parsing，others can be 0\r\n——————————————————————————————————————————\r\n02 ---\u003etype，register package\r\n00 42 00 33 00 63 01 c8 02 fc 00 49 ---\u003ehardcoded，authentication\r\n00 07 ---\u003elength of group string\r\n75 6e 6b 6e 6f 77 6e ----\u003egroup string，\"unknown\"\r\n——————————————————————————————————————————\r\nAfter sending the registration packet the Bot starts to wait for C2 to issue commands, the first byte of the\r\ncommand packet specifies the command type.\r\n0x00， heartbeat command code\r\nTake the following heartbeat as an example\r\nThe format of the heartbeat packet is parsed as follows\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 3 of 8\n\nMain field parsing，others can be 0\r\n——————————————————————————————————————————\r\n00 ---\u003etype，heartbeat package\r\n1b 37 03 f3 25 e3 19 40 1e 68 1a d2 ---\u003ehardcoded\r\n——————————————————————————————————————————\r\n0x01，DDoS attack command code\r\nTake the following attack instruction as an example\r\nThe format of the attack packet is parsed as follows\r\nMain field parsing，others can be 0\r\n——————————————————————————————————————————\r\n01 　 ---\u003etype，attack package\r\n01 ---\u003eattack type\r\n00 3c ---\u003etime (sec)\r\n01 ---\u003enumber of target\r\n67 5f dd bc 00 20 ---\u003etarget/mask,103.95.221.188/32\r\n02 ---\u003enumber of flag\r\n02 ---\u003eflag type, attack package length\r\n00 04 ---\u003eflag length\r\n31 34 36 30 ---\u003eflag data，1460\r\n01 ---\u003eflag type, port\r\n00 02 ---\u003eflag length\r\n35 33 ---\u003eflag data，53\r\n——————————————————————————————————————————\r\n0x03，exit\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 4 of 8\n\nTelnet scan \u0026 propagation\r\nFbot uses the technique of SYN port detection in the propagation process to improve the efficiency of\r\npropagation.\r\nFrom the above code snippet, it can be seen that its scanning traffic has 2 characteristics\r\n1. The number of scanned 23 ports is about twice as many as 26 ports\r\n2. The sequence number in the tcp header is equal to the target address in the ip header\r\nWhen a port is detected as open, login is attempted using a hard-coded credential list. Once successful, the IP,\r\nport, account, password, etc. are sent back to Reporter (198.23.238.203:774) via the following code snippet.\r\nThe actual network traffic generated is shown in the following figure.\r\nFinally, the Fbot sample is implanted to the device either with network download(see below) or ECHO, and the\r\nsuccessful implantation information is sent back to Reporter.\r\n1：Network download\r\nIf the device has wget or tftp, the Fbot sample of the corresponding CPU architecture on the device will be\r\ndownloaded.\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 5 of 8\n\n2：ECHO\r\nIf the device does not have a network download tool, the Fbot downloader of the corresponding CPU architecture\r\nis uploaded to the device via ECHO to download the Fbot samples.\r\nThe information of the Fbot downloader built into the sample is shown as follows.\r\nIn the above figure, the downloader with file offset 0x1D794 is used as an example.\r\nMD5:9b49507d1876c3a550f7b7a6e4ec696d\r\nELF 32-bit LSB executable, ARM, version 1 (ARM), statically linked, stripped\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 6 of 8\n\nPacker:None\r\nIts function is to request the Fbot sample from the download server (198.23.238.203:80) and execute it.\r\nSuggestions\r\nWe recommend Vantage Velocity users to check and update the firmware system in a timely manner.\r\nWe recommend that Vantage Velocity users set complex login passwords for management interfaces such as Web\r\nand SSH.\r\nWe recommend that readers monitor and block relevant IPs and URLs mentioned in this blog.\r\nContact us\r\nReaders are always welcomed to reach us on twitter, or email to netlab at 360\r\ndot cn.\r\nIoC\r\nIP:\r\n198.23.238.203 United States ASN36352 AS-COLOCROSSING\r\nC2:\r\n198.23.238.203:5684\r\nURL:\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 7 of 8\n\nhttp://198.23.238.203/arm7\r\nMD5:\r\ndeaee7ada44bf1c6af826d2d170c8698\r\nSource: https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nhttps://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.netlab.360.com/fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en/"
	],
	"report_names": [
		"fbot-is-now-riding-the-traffic-and-transportation-smart-devices-en"
	],
	"threat_actors": [],
	"ts_created_at": 1775434919,
	"ts_updated_at": 1775826683,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a71fb15447f09a83396d2ca63c1f46ebc39529e7.pdf",
		"text": "https://archive.orkl.eu/a71fb15447f09a83396d2ca63c1f46ebc39529e7.txt",
		"img": "https://archive.orkl.eu/a71fb15447f09a83396d2ca63c1f46ebc39529e7.jpg"
	}
}