Linux/IRCTelnet creates new, powerful IoT DDoS botnet

Linux/IRCTelnet (new Aidra), a new piece of Linux malware targeting IoT devices and turning them into DDoS-capable bots, has been spotted and analyzed by one of the researchers who share their discoveries on the MalwareMustDie! blog.

Linux/IRCTelnet is an interesting mix of capabilities associated with older malware.

The base of Linux/IRCTelnet is the source code of the Aidra bot, used years ago by an anonymous researcher to build a botnet (or, as he called it, a distributed port scanner) of over 420,000 Internet-connected devices, so he could scan all available IPv4 addresses.

To this, the Linux/IRCTelnet author added IRC protocol support from the Tsunami/Kaiten IRC botnet family, telnet scanning capabilities and malware injection code from the Bashlite (aka Gafgyt, aka Torlus) Trojan, and the list of default credentials for IoT devices used by the Mirai malware, which was to blame for the massive Dyn DDoS attack.

According to the researcher, this Frankenstein malware has managed to infect almost 3,500 devices in five days, and that number is only going to rise.

A thusly created botnet can apparently leverage a number of DDoS attack methods, including UDP and TCP floods, through both the IPv4 and IPv6 protocols.

But, as Mirai before it, Linux/IRCTelnet has no good persistence mechanism, so it can be easily booted off infected devices by simply restarting them. But to keep these devices clean, users will have to protect them quickly against reinfection.

They can do that by either by disabling telnet access (if it’s not needed), or securing it with unique, hard-to-guess passwords. Allowing the telnet to be accessed only from a specific IP address is also a good idea.

The researcher posits that this new threat has been coded by the same professed author of the Aidra botnet – an Italian hacker that uses the online handles “d3m0n3” and “eVil”.