Remaiten Linux-Based worm turns Routers Into Bots

Security software company ESET have posted a research about a new worm. The malware known as Remaiten, spreads over Telnet and builds a botnet of routers, access points, Wi-Fi or any network device.

ESET Experts believe that Remaiten is an improved version of Gafgyt and Tsunami (also known as Kaiten) worm discovered on 2014. Gafgyt served to steal information from infected computer, while Kaiten was used to launch an organized DDoS-attacks.

As Remaiten, Gafgyt will attack the remote system via Telnet. For this malicious program it scans the Telnet port on a certain IP-addresses. When it detect the Telnet service it will try to crack the password using a predefined list. If the password attack succeed victim will receive a command to download the executable worm and compile it to the required architecture.

Remaiten works almost the same way. The only difference that it will not download all possible executables. Instead, it tries to determine the architecture of the victim, and then send the appropriate executable file to infect remote system.

network_telnet_11

Guessing telnet login credentials

After that victim machine will connect to IRC command channel and waits for instructions. Analyzing the worm code shows that it allows controlled system to participate in DDoS-attacks of various types. You can find the full research by Eset on the following link: http://www.welivesecurity.com/2016/03/30/meet-remaiten-a-linux-bot-on-steroids-targeting-routers-and-potentially-other-iot-devices/

Share