A researcher going by the handle unixfreakjp says a new botnet aimed at Internet-of-Things devices known as Linux/IRCTelnet has already infected 3500 devices in the space of five days.
As is the case with the Mirai malware, that was leaked on the Internet recently, Linux/IRCTelnet targets IoT devices that have not had their default usernames and passwords changed, and logs in to such devices using the telnet protocol.
Practically all routers, security cameras and other devices that can be connected to the Internet use Linux because of its design and cost.
Mirai was used in the recent attack on domain name services provider Dynamic Network Services that affected the functioning of a number of big-name websites like Twitter and Netflix.
{loadposition sam08}The researcher said the code of the new botnet bore many similarities to that of Aidra, one of the earliest botnets discovered. Aidra was mentioned by an unknown security researcher who harnessed a number of IoT devices to find out the extent to which such insecure devices were present on the Internet.
He found many Italian language references in hardcoded messages in the botnet, which he said was very fast in scanning for vulnerable devices.
"It handles three or more 'scan' requests at the same time on different segments of the IP network, and these are what I saw in only a few seconds; scanning progress is overlapping each other seeking for telnet services," unixfreakjp wrote in a very detailed technical analysis that is well worth reading.
He said Linux/IRCTelnet had no persistent autostart or rootkit or anything that could damage the device it had taken over. "This malware variant can be easily removed by rebooting the infected device. But if you don't secure the telnet after reboot, it will come to infect you again," he wrote.