Rakos is here to compromise your IoT security.
Dubbed Rakos, written in the Go language and has a binary compressed with the standard UPX tool, the newly discovered malware is attacking vulnerable devices via brute force SSH login attempts, a method already observed in various other Linux threats. The new malicious program is looking to infect both embedded devices and servers that have an open SSH port by preying on their weak credentials, with the purpose of building a large botnet.
Next, the malware starts a local HTTP server, which allows future versions to kill running instances regardless of their name, and which also attempts to parse a URL query for various parameters. Additionally, the malware creates a web server listening on all interfaces, which is listening to a randomly chosen TCP port (ranging from 20,000 to 60,000).
When a remote request is sent to the device via this port, a response containing the IP address is received, researchers say. The malware also sends an initial HTTP request containing important information about the victim device to the C&C server.
When a remote request is sent to the device via this port, a response containing the IP address is received, researchers say. The malware also sends an initial HTTP request containing important information about the victim device to the C&C server.
The botnet wasn’t observed being yet capable of distributed denial of service (DDoS) attacks or spam spreading, but researchers believe that it might receive such functionality, considering the level of control over the infected device it provides the attackers with.
The Trojan doesn’t feature persistence capabilities, but rebooted devices can be compromised repeatedly. To clean compromised devices, users should connect to them using SSH/Telnet, look for a process named .javaxxx, verify that it is responsible for unwanted connections, and then kill it. Next, victims should secure the SSH credentials to avoid future compromise.
The Trojan doesn’t feature persistence capabilities, but rebooted devices can be compromised repeatedly. To clean compromised devices, users should connect to them using SSH/Telnet, look for a process named .javaxxx, verify that it is responsible for unwanted connections, and then kill it. Next, victims should secure the SSH credentials to avoid future compromise.
Source@SECURITY WEEK
