Meet Linux/IRCTelnet malware, the successor to Mirai!

A possible successor to Mirai malware has been unearthed. Discovered by security researchers at MalwareMustDie.org, the malware has been named as Linux/IRCTelnet. The task of this new malware is to infect the Internet of Things devices and convert them into botnets for conducting DDoS attacks. Just like the notorious Mirai, this new malware exploits the default credentials in the IoT devices to gain access. As per the researchers who discovered it, the malware is primed for DDoS and is IPv6 ready.

The article published by the researchers says that “the malware has been designed to aim IoT device via a telnet protocol, by using its originally coded telnet scanner function, which is brute-forcing the known vulnerable credential of the Linux IoT boxes, via command sent from a CNC malicious IRC server.” It further says that, “the botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too. The malware code is an improvisation of Tsunami/Kaiten protocol. Some original features of this protocol are retained but new features in massaging and attack vectors have also been added. Below is the image showing the malware installer script for the Linux/IRCTelnet.

An indepth analysis of the source code of Linux/IRCTelnet has revealed that the source code that makes up this malware has been taken from the previously existing Aidra botnet. In totality, the Linux/IRCTelnet based on the source code of Aidra bot, uses the new logic of Torlus/Gayfgt for telnet scanner and is armed with the Mirai’s leaked credential list of the IoT devices to gain access through Brute Force. The malware has infected 3500 devices just within 5 days of its first detection. The actors behind this new malware seem to be Italian as suggested by the use of messages in hard coded Italian language in the user’s communication interface.

As per the researchers, the Linux/IRCTelnet works in the following way:

1. Cheking fork and pid beforehand

2. It gets the uname data of a compromised system

3. Loading the encoded CNC data

4. Decoded the CNC data

5. Send http request to CNC with HTTP/1.0 to get GeoIP (“GET / HTTP/1.0\nHost: 164.132.237.180\n\n”)

6. Reversed the GeoIP strings for BotID

7. Connect to the IRC C2 server, using “d3x” if uname is unavaliable

8. Starting the IRC connection

9. Listen to the CNC commands and act according instruction

10. Instructions are in Botnet Protocol section self-expalnatory

As per the researchers who discovered this malware, “To incarnate a legendary botnet code into a new version that can aim the recent vulnerable threat landscape is really inviting more bad news”. Given the emergence of DDoS using IoT as a potent attack method that has changed the threat landscape, the discovery of this new successor to Mirai has just upped the ante among the security researchers and the threat actors