Researchers have thrown back the covers on more malware infecting IoT devices for the purposes of building a botnet that carries out DDoS attacks.
This sample has its roots in other IoT botnets such as Aidra, Bashlite and Mirai in that it attacks weak telnet credentials guarding devices and it’s also using the leaked hardcoded credential list used by Mirai to do so.
The malware has been nicknamed Linux/IRCTelnet by researchers at Malware Must Die. It has the same UDP and TCP flood attack capabilities of its predecessors, but it also supports attacks against systems running on IPv6. Unlike Mirai, this malware communicates over IRC with the compromised Linux-based IoT devices.
The malware is based on Aidra, which was discovered shortly after publication in 2013 by an anonymous research paper describing the results of an Internet scanning project called the Internet Census 2012. A researcher accessed more than 400,000 embedded devices that were discoverable on the Internet and still had default factory credentials enabled. Security experts at the time denounced the project as illegal and unethical.
In the wake of the release of that data, malware known as LightAidra, or Aidra, appeared and crafted botnets designed to search for telnet ports and access them using known default credentials.
“I found the match in major parts of codes after the reversing was done,” wrote a researcher who goes by the handle Unixfreaxjp. “It is very lucky to see new type of Aidra botnet in this era, and this botnet is a re-designed and modified new model to aim IoT vulnerability problem that we have now.”
The new malware is built on old Aidra code combined with a telnet scanner borrowed from the Torlus/Gayfgt and Mirai’s hardcoded list of 60-plus credentials. The researchers said the malware has infected close to 3,500 devices in the five days since it was discovered.
“To incarnate a legendary botnet code into a new version that can aim the recent vulnerable threat landscape is really inviting more bad news,” the report says.
The arrival of more IoT botnet malware was expected given the Mirai source code dump a month ago. Mirai has been fingered as the malware behind the botnets that attacked DNS provider Dyn two weeks ago, causing Internet service interruptions on the East Coast, as well as volumetric attacks against Krebs on Security and French webhost OVH. Earlier this summer, Bashlite was exposed by researchers at Level 3 Communications who revealed that the malware had infected 1 million devices such as IP-enabled cameras and DVRs.
Mirai, however, could be on borrowed time. The source code may be available to criminals and others interested in carrying out DDoS attacks, but it’s also open to security researchers who already have found a vulnerability in the code.
Invincea Labs last week published a report about a stack buffer overflow in the code that could be exploited by altering responses from HTTP packets sent by the bot to command and control. However, experts—including Invincea Labs—caution that this could be tantamount to hacking back, which is illegal under the U.S. Computer Fraud and Abuse Act (CFAA).
Invincea Labs said its exploit causes a segmentation fault in a bot carrying out an HTTP flood attack, crashing the attack process, but leaving the compromised intact and running. Researchers said this technique would not have helped in the DNS-based DDoS attack against Dyn, but would shut down Layer 7 attack capabilities present in the publicly available Mirai code.