Kaiten, an Internet Relay Chat (IRC)-controlled malware typically used to carry out distributed denial-of-service (DDoS) attacks, has returned, in a stronger configuration. It’s targeting routers and internet of things (IoT) devices.

ESET researchers have identified three tougher versions of the malware, which they dubbed Linux/Remaiten and characterize as “a Linux bot on steroids.” The main feature of the malware is an improved spreading mechanism.

“ESET researchers are actively monitoring malware that targets embedded systems such as routers, gateways and wireless access points,” the company explained in an analysis. “Recently, we discovered a bot that combines the capabilities of Tsunami (also known as Kaiten) and Gafgyt. It also provides some improvements as well as a couple of new features. We call this new threat Linux/Remaiten. So far, we have seen three versions of Linux/Remaiten that identify themselves as versions 2.0, 2.1 and 2.2. Based on artifacts found in the code, the authors call this new malware KTN-Remastered or KTN-RM.”

Based primarily on Linux/Gafgyt’s telnet scanning, the new versions improve on the spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices.

When instructed to perform telnet scanning, the malware tries to connect to random public IP addresses. If the connection succeeds, it will try to guess the login credentials. If the malware successfully logs in, it will issue a shell command to download bot executable files for multiple system architectures and try to run them.

“This is a simple but noisy way of ensuring that the new victim gets infected, because it is likely that one of the binaries is for the current platform,” said Michal Malík, ESET malware researcher. “It targets mainly those with weak login credentials.”

As seen in Linux/Moose, when the malware is executed, it also creates another bot for the malicious operators to use. This strain of malware also has a message for those who might try to neutralize its threat.

“Within the welcome message, version 2.0 seems to single out malwaremustdie.org which has published extensive details about Gafgyt, Tsunami and other members of this family of malware,” said Malík.

Photo © Fireofheart