The whole world is still dealing with the Mirai IoT Botnet that caused vast internet outage last Friday by launching massive distributed denial of service (DDoS) attacks against the DNS provider Dyn, and researchers have found another nasty IoT botnet.
Dubbed Linux/IRCTelnet, the nasty malware is written in C++ and, just like Mirai malware, relies on default hard-coded passwords in an effort to infect vulnerable Linux-based IoT devices.
The IRCTelnet malware works by brute-forcing a device's Telnet ports, infecting the device's operating system, and then adding it to a botnet network which is controlled through IRC (Internet Relay Chat) – an application layer protocol that enables communication in the form of text.
So, every infected bot (IoT device) connects to a malicious IRC channel and reads commands sent from a command-and-control server.
The concept of using IRC for managing the bots, according to the researchers, is borrowed from the Kaiten malware. The source code used to build the IRCTelnet botnet malware is based on the earlier Aidra botnet.
The malware uses the "leaked" vulnerable IoT device's login credential from the Mirai botnet in order to brute force exposed Telnet ports to the Internet.
The IRCTelnet malware infects insecure devices running a Linux Kernel version 2.6.32 or above and capable of launching DDoS attacks with spoofed IPv4 and IPv6 addresses, though the scanner is programmed only to find and brute-force Telnet via IPv4.
> "The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too," the researchers note in a blog post.
While analyzing the malware's source code, researchers found hard-coded Italian language messages in the user's communication interface, which suggests that the author of the IRCTelnet malware could be Italian.
The security firm found around 3,400 bots infected by the IRCTelnet malware and said that this nasty malware is capable of raising almost 3,500 bot clients within only 5 days.
The initial scans that distributed the IRCTelnet malware came from IP addresses located in Turkey, Moldova, and the Philippines.
Building a legendary, massive botnet that leverages recently vulnerable threat landscape is inviting more incidents like the recent DDoS attack against Dyn that rendered major websites inaccessible, and record-breaking DDoS attack against French Internet service and hosting provider OVH.