- Jan 24, 2011
- 9,378
Somebody is building a botnet by infecting Linux servers and Linux-based IoT devices with a new malware strain named Rakos.
First detected online over the summer, this new malware strain is harmless, at least in its current variant.
Currently, the Rakos malware is used to carry out dictionary (brute-force) attacks against other devices, infecting victims with the Rakos strain, adding devices to a botnet, and using the newly acquired bots to find and brute-force other targets.
While no malicious activity has been detected originating from devices controlled by the Rakos malware, such as DDoS attacks and spam proxy traffic, this may still occur in the near future.
First signs of Rakos infections detected in August 2016
According to ESET researchers Peter Kálnai and Michal Malik, owners of IoT devices and Linux servers have been reporting infections with the Rakos malware since August this year.
Based on reports from infected users and analysis of the different Rakos strains discovered over time, the malware usually creates a folder named ".javaxxx", ".swap", or "kworker" from where it operates.
Currently, the malware can perform only a few operations. First and foremost, after infecting a device, it establishes a connection to its command and control server, requesting a configuration file.
This file contains the config version number, backup C&C servers, and a list of username and password combinations.
Rakos currently used to brute-force other devices via SSH
Rakos asks the C&C server for an IP address and attempts to log in on that IP address via its SSH port using one of these user-pass combinations.
The Mirai malware works very much the same but targets Telnet ports instead of SSH (Side note: There are some recent Mirai variants that also target SSH as well).
If the SSH brute-force attack is successful, Rakos downloads its binary to the new host, and downloads and starts a local web server on port 61314. This server is used for the self-update and self-upgrade system.
Read more: Mysterious Rakos Botnet Rises in the Shadows by Targeting Linux Servers, IoT Devices
First detected online over the summer, this new malware strain is harmless, at least in its current variant.
Currently, the Rakos malware is used to carry out dictionary (brute-force) attacks against other devices, infecting victims with the Rakos strain, adding devices to a botnet, and using the newly acquired bots to find and brute-force other targets.
While no malicious activity has been detected originating from devices controlled by the Rakos malware, such as DDoS attacks and spam proxy traffic, this may still occur in the near future.
First signs of Rakos infections detected in August 2016
According to ESET researchers Peter Kálnai and Michal Malik, owners of IoT devices and Linux servers have been reporting infections with the Rakos malware since August this year.
Based on reports from infected users and analysis of the different Rakos strains discovered over time, the malware usually creates a folder named ".javaxxx", ".swap", or "kworker" from where it operates.
Currently, the malware can perform only a few operations. First and foremost, after infecting a device, it establishes a connection to its command and control server, requesting a configuration file.
This file contains the config version number, backup C&C servers, and a list of username and password combinations.
Rakos currently used to brute-force other devices via SSH
Rakos asks the C&C server for an IP address and attempts to log in on that IP address via its SSH port using one of these user-pass combinations.
The Mirai malware works very much the same but targets Telnet ports instead of SSH (Side note: There are some recent Mirai variants that also target SSH as well).
If the SSH brute-force attack is successful, Rakos downloads its binary to the new host, and downloads and starts a local web server on port 61314. This server is used for the self-update and self-upgrade system.
Read more: Mysterious Rakos Botnet Rises in the Shadows by Targeting Linux Servers, IoT Devices
