There’s a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report.
Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices.
Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6.
The best-of-breed approach “is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected,” a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. “To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news.”
Like most IoT bots, Linux/IRCTelnet doesn’t have what malware experts refer to as persistence. That means that compromised devices are disinfected as soon as they’re restarted. Still, unless the rebooted devices are properly secured—by, for instance changing the default login credentials or disabling telnet connections—they are likely to be infected all over again. Once a device is infected, its IP address is stored so the botnet operator can re-infect it if it suddenly loses contact with the command and control channel.
A recent volley of DDoS attacks launched from infected IoT devices has opened a troubling chapter for the Internet because the assaults are capable of delivering malicious data in volumes that were almost unimaginable just a few years ago. Linux/IRCTelnet is likely only the beginning of what could be a long line of next-generation malware that steadily improves its capabilities. The proliferation of Internet-connected devices that by default are defenseless against these threats is bad news, indeed.