A new botnet has been infecting internet of things devices and Linux-based servers, to then leverage them in distributed denial-of-service (DDoS) attacks. The malware, dubbed Kaiji, has been written from scratch, which researchers say is “rare in the IoT botnet landscape” today.
Kaiji, which was discovered in late April by security researcher “MalwareMustDie” and researchers with Intezer, is unique in its customized tooling, created in the Golang programming language. Earlier types of IoT malware have mainly derived their tooling from previous botnets (along with multiple botnets that are variants of Mirai), that are usually written within the C or C+ programming language.
Rather than relying on exploiting unpatched glitches, Kaiji spreads exclusively via brute-force assaults against publicly accessible SSH servers that allow password-based SSH authentication, stated Litvak, in a Monday analysis.
Only the root account is focused, researchers stated, accessing root is important to its operation since some DDoS attacks are solely available by way of crafting custom network packets. In Linux, customized community packets are only given to a privileged person, such as root.
Once an SSH connection is established, a /usr/bin/lib directory is created, and then Kaiji is put in under the filename ‘netstat’, ‘ps,’ ‘ls’, or another system software name.
Kaiji has comparatively easy features, and in reality, Litvak advised said, he believes the software is still being tested, on account of certainly one of its features calling the tool a “demo.” The malware’s features include various DDoS assault modules, an SSH brute-forcer module to continue its unfold, and another SSH spreader that hijacks native SSH keys to infect recognized hosts on which the server has connected to prior to now.