Security News Problems Reappear for IoT Devices Owners with Discovery of New DDoS Trojan

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
Problems Reappear for IoT Devices Owners with Discovery of New DDoS Trojan
Security researchers discovers IRCTelnet malware


A new malware family written by what appears to be an experienced coder is aiming for Linux-based IoT devices, with the main purpose of adding those devices to a botnet and carrying out DDoS attacks.

Discovered by security researcher MalwareMustDie (pls check post below before opening this link), this new malware family is named Linux/IRCTelnet and is written in C++.

The researcher says the malware works by infecting Linux-based devices that expose Telnet ports to the Internet and use weak passwords.

IRCTelnet borrows from other IoT malware
IRCTelnet brute-forces a device's Telnet ports, infects the equipment's OS, and adds it to a botnet that's controlled through IRC. This means that every infected bot connects to an IRC channel, and reads commands posted in the main chatroom.

The concept is not new by any stretch of the imagination, with many IoT, Linux, and Windows malware operating in the same way.

MalwareMustDie says IRCTelnet takes a lot of inspiration from other IoT malware. The concept of using IRC for managing the bots is obviously borrowed from Kaiten, the malware that had the most success with it.

Similarly, the Telnet scanner and brute-forcing system is borrowed from GafGyt (also known as Torlus, Lizkebab, Bashlite, or Bashdoor), while the list of default Telnet credentials is taken from the more recent Mirai malware.

IRCTelnet has support for IPv6 floods
MalwareMustDie says this malware is capable of infecting any device running a Linux Kernel version 2.6.32 or above.

Support is included for launching DDoS attacks with spoofed IPv4 and IPv6 addresses, but the Telnet scanner can only find and brute-force IPs via IPv4.

MalwareMustDie says that there are multiple places in the malware's source code where its author had used the Italian language, more to be than just a random copy-paste.

Botnet currently has only 3,400 bots
Detection rate on VirusTotal is currently low, with very few vendors identifying it as a standalone malware, and not some sort of GafGyt clone.

MalwareMustDie reports that initial scans that spread this malware came from IPs located in Turkey, Moldova, and the Philippines.

When he connected to the botnet's IRC channel, he says he found around 3,400 bots.


Read more: Problems Reappear for IoT Devices Owners with Discovery of New DDoS Trojan
 
Last edited:

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
UPDATE 31-10-16 13 hours later.

When opening Malware Must Die!: MMD-0059-2016 - Linux/IRCTelnet (new Aidra) - A DDoS botnet aims IoT w/ IPv6 ready Emsisoft alerts about an attempt to connect to www.geocities.jp.
Site blacklisted also by Quttera.
[ emsi geocities.GIF/SPOILER]
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top