New IoT Linux IRCTelnet Botnet Wreaks Havoc

A new and very potent malware botnet has been spotted, the threat is known as Linux IRCTtelnet and is very similar to the infamous Mirai botnet.

The IoT Linux IRCTelnet Botnet is Dangerous and Live

The new botnet known as Linux IrcTelnet is very similar to the Mirai threat that has caused millions of infected hosts to take down a significant part of the Internet services, click here to remind yourself of the recent massive attack.
The botnet is written in the C++ programming language and uses the tactic of scanning the for open ports running the Telnet service. This is a protocol that is widely used by IoT devices for administration purposes, it many the default configuration settings rely on simple passwords that are very easy to guess with dictionary-based attacks. Telnet is also very insecure, system administrators nowadays uses SSH which has proven to be a more safer upgrade.

The virus infiltrates the appliances and adds it to an IRC-controlled botnet. The commands are issued by the malicious operators via text commands sent via a remote controlled C&C server. And this botnet does have a connection with Mirai as it uses the same database of account credentials that are used to infect the compromised devices.

The IRCTelnet code infects insecure appliance that run on Linux Gnu/Linux systems running kernel versions 2.6.32 or newer. The developers of the malicious threat have added spoofing capabilities that work with both Ipv4 and Ipv6 addresses however the scanner (at least in the current versions of the botnet) have the capability of only taking down appliances via Ipv4 Telnet connections.

Some Details About The IRCTelnet Botnet

The initial analysis of the botnet shows that it has DOS attack mechasnism including UDP Flood and TCP flood attacks among others. The fact that the malware can spoof both Ipv4 and Ipv6 addresses means that it can potentially impact almost every Internet-exposed IoT device with bad security options.

The security experts found some hard-coded messages in Italian in the source code of the botnet which suggests that the operators of IRCTelnet might be from Italy. One of the security vendors who audited the network reported that around 3400 hosts were active during their analysis. The prognosis states that the network is capable of recruiting around 3500 hosts for 5 days which is a considerable number.

The initial botnet attacks came from countries like Turkey, Moldova and The Philippines.

Author : Martin Beltov

Martin graduated with a degree in Publishing from Sofia University. As a cyber security enthusiast he enjoys writing about the latest threats and mechanisms of intrusion.


Related Posts