New IoT Botnet Malware Discovered; Infecting More Devices Worldwide


The whole world is still dealing with the

Mirai IoT Botnet

that caused

vast internet outage

last Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet.

Security researchers at MalwareMustDie have

discovered

a new malware family designed to turn Linux-based insecure

Internet of Things

(IoT) devices into a botnet to carry out massive DDoS attacks.

Dubbed

Linux/IRCTelnet

, the nasty malware is written in C++ and, just like

Mirai malware

, relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices.

The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text.

So, every infected bot (IoT device) connects to a malicious IRC channel and reads commands sent from a command-and-control server.

The concept of using IRC for managing the bots, according to the researchers, is borrowed from the Kaiten malware. The source code used to build the IRCTelnet botnet malware is based on the earlier Aidra botnet.

The malware uses the "leaked" vulnerable IoT device's login credential from the

Mirai botnet

in order to brute force exposed Telnet ports to the Internet.

The IRCTelnet malware infects insecure devices running a Linux Kernel version 2.6.32 or above and capable of launching DDoS attacks with spoofed IPv4 and IPv6 addresses, though the scanner is programmed only to find and brute-force Telnet via IPv4.

"The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too," the researchers note in a blog post.

While analyzing the malware's source code, researchers found hard-coded Italian language messages in the user's communication interface, which suggests that the author of the IRCTelnet malware could be Italian.

The security firm found around 3,400 bots infected by the IRCTelnet malware and said that this nasty malware is capable of raising almost 3,500 bot clients within only 5 days.

The initial scans that distributed the IRCTelnet malware came from IP addresses located in Turkey, Moldova, and the Philippines.

Building a legendary, massive botnet that leverages recently vulnerable threat landscape is inviting more incidents like the recent

DDoS attack against Dyn

that rendered major websites inaccessible, and

record-breaking DDoS attack

against French Internet service and hosting provider OVH.



from The Hacker News http://ift.tt/2fcyPOj