A new malware family targeting Internet of Things (IoT) devices to ensnare them into distributed denial of service (DDoS) botnets has emerged.
Dubbed Linux/IRCTelnet (New Aidra), the new botnet is built on the core code of Aidra, a previously known IoT malware family designed to launch DDoS attacks. What’s more, the threat shows some similarities with Tsunami/Kaiten (uses the same IRC protocol), with BASHLITE (IRCTelnet uses the same telnet scanner and infection’s injection code as this malware), and with Mirai (uses its leaked credential list).
Targeting routers and modems, the newly spotted malware features encoded command and control (C&C) information, as well as hardcoded Italian language messages in the communication interface, a security researcher going by the name of unixfreaxjp explains. The new botnet can launch DDoS attacks using UDP floods and TCP floods, along with other techniques, and uses both IPv4 and IPv6 protocols.
The security researcher notes that the new piece of malware was observed infecting almost 3,500 hosts within only 5 days after it has been first detected. The malware uses telnet scans and brute force attacks for infection and the first infection campaign was observed on October 25.
After brute-forcing the vulnerable systems, the attacker executes a series of commands, including one to download and install malware, followed by another one to stop the firewall, after which the session is closed. All of these commands are executed in less than a second (the malware download process isn’t counted), the security researcher says.
The threat was observed killing previously running instances of itself and removing previous binaries, if any, as well as downloading the latest available version. The malware’s attack possibilities are limited to already infected devices, because the loader script is actually written in the malware itself, the security researcher explains (the attacker, however, can execute a similar script from their own environment).
The malware is believed to target devices running operating systems that are compatible with Linux kernel 2.6.x (2.6.32 or above). The attack chain, the researcher says, includes checking fork and PID beforehand, getting the uname data of the compromised system, loading the encoded C&C data and decoding it, sending a request to C&C to get GeoIP, reversing the GeoIP strings for BotID, connecting to IRC C&C server using “d3x” if uname isn’t available, starting the IRC connection, and listening for commands.
The malware’s code doesn’t show persistence efforts, but that doesn’t come as a surprise, given that it targets IoT devices, the security researcher says. However, the code does show the hardcoded username and password combinations.
The malware communicates with the C&C server using the IRC protocol, and a series of server-to-client commands is used to trigger malicious functions. The researcher found that around 3,400 users were connected via IRC, suggesting that this would be the number of infected clients so far, but also says that intense scanning for vulnerable devices was observed.
Because of the Italian messages spotted in the botnet’s communication patterns, the security researcher says that the actor behind this piece of malware might be an Italian speaker. In fact, the researcher suggests that the actor might be “a known Italian hacker under handle: d3m0n3 or eVil (d4rk3v1l).”
The botnet shows a variety of DDoS capabilities using both IPv4 and IPv6 packets, based on the attack generator functions sendV4() and sendV6() found in the code. However, because the threat doesn’t pack a persistence mechanism or rootkit, the infection can be easily removed by restarting the device. However, users should also secure the telnet in addition to rebooting the device, otherwise the infection will reoccur.
Related: DDoS Attacks Are Primary Purpose of IoT Malware