Newly created IoT botnet infects 3,500 connected devices

Newly created IoT botnet infects 3,500 connected devices

Newly created IoT botnet infects 3,500 connected devices
(Photo by Yuri Samoilov)

An online criminal has created a new type of malware to hack into IoT devices, push them into a botnet, to launch DDoS attacks.

The new Linux/IRCTelnet malware was discovered by security researchers from MalwareMustDie.org and is thought to have infected around 3,500 devices in just five days.

Like the Mirai Botnet, which also targeted the Internet of Things (IoT), the IRCTelnet IoT botnet uses default hard-coded credentials in a bid to get into IoT devices that are vulnerable and at risk.

IoT botnet targets vulnerable devices

It also shares similarities with a previous botnet called Bashlight, using a telnet-scanning method to make and sustain attacks. This is where connected devices become vulnerable.

According to MalwareMustDie, this new botnet is based on the same source code as Aidra, which was malware that also infected thousands of IoT devices and services.

Aidra was found in 2013 and infected over 420,000 connected products as part of a research project to test the global network, but many experts question how ethical it was.

Culprit still unknown

Although the exact identity of the culprit is unknown, researchers believe they’re from Italy because they’ve been using Italian in the botnet’s communication interface.

“The malware (the bot client) is designed to aim IoT device via telnet protocol, by using its originally coded telnet scanner function, which is brute-forcing the known vulnerable credential of the Linux IoT boxes, via command sent from a CNC malicious IRC server,” the researchers wrote.

“The botnet is having DoS attack mechanism like UDP flood, TCP flood, along with other attack methods, in both IPv4 and IPv6 protocol, with extra IP spoof option in IPv4 or IPv6 too.”

Easily removed

While any form of malware is inconvenient, it doesn’t actually damage infected devices. It can be easily removed by turning the device off and powering it back up.

“This malware variant can be easily removed by rebooting the infected device. But if you don’t secure the telnet after reboot, it will come to infect you again,” the researchers continued.

Mike Pittenger, vice president of security strategy at Black Duck Software, explained that there isn’t a question of vulnerability here. Rather, there’s an underlying flaw in the architecture of IoT devices.

“The issue is not a vulnerability (per se) in these devices, but an architectural flaw in that they don’t require the default password to be changed, and passwords can be bypassed using Telnet,” he said.

“Unsecure IoT devices are putting the Internet, and those services that depend on a reliable communication channel, at risk.  A reasonable company, to use the due care standard, would not build and sell a car without brakes.

“At what point are companies that put our infrastructure at risk held accountable? I think we’re going to see that happen soon.”

Related: DDoS attack takes down Twitter, ramifications for IoT in enterprise