C0XMO botnet spreads via DD-WRT router flaw, kills rival malware

The C0XMO botnet variant, derived from the Gafgyt malware family, actively exploits vulnerabilities in DD-WRT router firmware to compromise networking equipment and establish persistent command-and-control connections. Security researchers tracking the threat observe that C0XMO possesses cross-architecture capabilities, allowing it to propagate to devices running different processor types beyond routers.

DD-WRT is open-source firmware commonly deployed on consumer and small business routers as an alternative to vendor-supplied operating systems. The botnet's ability to target this specific firmware suggests attackers identified unpatched security flaws in DD-WRT's codebase or authentication mechanisms. Once installed, C0XMO can execute distributed denial-of-service attacks, harvest bandwidth, or serve as an entry point for secondary malware deployment.

A notable characteristic of C0XMO involves its competitive behavior. The botnet actively terminates rival malware already resident on compromised devices, removing competing threats to consolidate control. This hostile takeover approach indicates operators prioritize exclusivity over coexistence, a behavior common in botnets competing for limited device resources.

The threat affects organizations and individuals running DD-WRT on routers without current security patches. Small businesses relying on DD-WRT for cost-effective network management face elevated risk, particularly if devices lack regular firmware updates or operate behind weak authentication. Compromised routers become vectors for man-in-the-middle attacks, credential theft, or network-wide infections.

Defense requires immediate action. Users must verify DD-WRT installations are running the latest available firmware version. Network administrators should enforce strong credentials for router access, implement network segmentation to limit botnet lateral movement, and monitor for unusual outbound traffic patterns. Gafgyt variants typically communicate with known command-and-control servers, making traffic analysis effective for detection.