New IoT Botnet Malware Discovered; Infecting More Devices Worldwide
The whole world is still dealing with the
Mirai IoT Botnetthat caused
vast internet outagelast Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet.
Security researchers at MalwareMustDie have
discovereda new malware family designed to turn Linux-based insecure
Internet of Things(IoT) devices into a botnet to carry out massive DDoS attacks.
Dubbed
Linux/IRCTelnet, the nasty malware is written in C++ and, just like
Mirai malware, relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices.
The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text.
So, every infected bot (IoT device) connects to a malicious IRC channel and reads commands sent from a command-and-control server.
The concept of using IRC for managing the bots, according to the researchers, is borrowed from the Kaiten malware. The source code used to build the IRCTelnet botnet malware is based on the earlier Aidra botnet.
The malware uses the "leaked" vulnerable IoT device's login credential from the
Mirai botnetin order to brute force exposed Telnet ports to the Internet.
The IRCTelnet malware infects insecure devices running a Linux Kernel version 2.6.32 or above and capable of launching DDoS attacks with spoofed IPv4 and IPv6 addresses, though the scanner is programmed only to find and brute-force Telnet via IPv4.
"The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too," the researchers note in a blog post.
While analyzing the malware's source code, researchers found hard-coded Italian language messages in the user's communication interface, which suggests that the author of the IRCTelnet malware could be Italian.
The security firm found around 3,400 bots infected by the IRCTelnet malware and said that this nasty malware is capable of raising almost 3,500 bot clients within only 5 days.
The initial scans that distributed the IRCTelnet malware came from IP addresses located in Turkey, Moldova, and the Philippines.
Building a legendary, massive botnet that leverages recently vulnerable threat landscape is inviting more incidents like the recent
DDoS attack against Dynthat rendered major websites inaccessible, and
record-breaking DDoS attackagainst French Internet service and hosting provider OVH.
from The Hacker News http://ift.tt/2fcyPOj