Story image

Kaiten malware returns, more powerful says ESET

05 Apr 2016

Researchers at ESET have discovered an improved version of Kaiten, an Internet Relay Chat (IRC)-controlled malware typically used to carry out distributed denial-of-service (DDoS) attacks. 

The digital security firm says the latest version targets embedded systems such as routers, gateways and wireless access points.

The remastered malware has been dubbed “KTN-Remastered” or “KTN-RM”, with three versions of Linux/Remaiten already identified by ESET researchers. Based on artifacts in the code, the main feature of the malware is an improved spreading mechanism.

Based primarily on Linux/Gafgyt’s telnet scanning, KTN-RM improves on that spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices, ESET says, targeting mainly those with weak login credentials.

According to ESET, Linux/Remaiten improves upon this spreading mechanism by carrying downloader executables for CPU architectures that are commonly used in embedded Linux devices such as ARM and MIPS. 

After logging on via the telnet prompt of the victim‘s device, it tries to determine the new victim‘s device platform and transfer only the appropriate downloader. This downloader’s job is to request the architecture-appropriate Linux/Remaiten bot binary from the bot’s C&C server. This binary is then executed on the new victim‘s device, creating another bot for the malicious operators to use.

“The downloader‘s job is to request the Linux/Remaiten bot binary from the Command & Control server for its current architecture. When executed, it also creates another bot for the malicious operators to use. We have seen this technique used before by Linux/Moose to spread infections,“ explains Michal Malík, ESET malware researcher.

In a strange twist, this strain of malware also has a message for those who might try to neutralise its threat, Malík says. 

"Within the welcome message, version 2.0 seems to single out malwaremustdie.org which has published extensive details about Gafgyt, Tsunami and other members of this family of malware," he explains.

How to prevent and protect against this threat:

  • Change default passwords on network equipment even if it is not reachable from the Internet. Disable Telnet login and use SSH where possible
  • Run the latest firmware available from your embedded device vendor
  • Have an updated and appropriate anti-malware protection
  • Be aware of the malware threat and what it does to devices
  • If your computer is infected, it might be used to infect others
  • Always have a copy of your data. In case of infection, this will help you recover all of your information
  • If infected, the computer needs to be taken offline and cleaned as quickly as possible
  • If infected, reboot the affected device then change its password as soon as possible. However, the attackers may have had manual access so further infection may have happened. In that case, a factory reset, firmware update or reinstall and password change is probably best
Who's watching you? 
With privacy an increasing concern amongst the public, users should be more aware than ever of what personal data companies hold.
Fake apps on Google Play scamming users out of cryptocurrency
Fake cryptocurrency apps on Google Play have been discovered to be phishing and scamming users out of cryptocurrency, according to a new report from ESET.
Managing data to comply with privacy regulations - Micro Focus
It’s crucial for organisations to be able to access, understand, and accurately classify the data they have so they know how to treat it.
Hackbusters! Reviewing 90 days of cybersecurity incident response cases
While there are occasionally very advanced new threats, these are massively outnumbered by common-or-garden email fraud, ransomware attacks and well-worn old exploits.
SEGA turns to Palo Alto Networks for cybersecurity protection
When one of the world’s largest video game pioneers wanted to strengthen its IT defences against cyber threats, it started with firewalls and real-time threat intelligence from Palo Alto Networks.
Forrester names Trend Micro Leader in email security
TrendMicro earned the highest score for technology leadership, deployment options and cloud integration.
LogRhythm releases cloud-based SIEM solution
LogRhythm Cloud provides the same feature set and user experience as its on-prem experience.
The impact of bringing biometrics to the door
"Despite the benefits of biometrics, there have been impediments to its broader enterprise adoption."