UPDATED 22:57 EDT / DECEMBER 21 2016

INFRA

Rakos malware infects Linux servers, IoT devices to build botnet

A recently discovered form of malware is spreading across Linux servers and Linux-powered Internet of Things devices, causing network congestion as it attempts to build a botnet.

Called Rakos, the malware is attacking vulnerable devices via brute-force Secure Socket Shell login attempts. Once it gains access, it then uses the infected machine to carry out more brute-force attacks on other devices, putting additional pressure on network resources.

According to researchers at security firm ESET spol. s r.o., the malware in its current form is harmless besides its strain on network resources. But that could easily change in the future given that it provides direct access to the hackers behind the malware to infected devices.

“The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible,” the company said in a blog post Tuesday.

Rakos, which is written in the Go language, was observed loading its configuration via standard input in YAML format with a configuration file that includes a list of command and control servers, the credentials that are used to brute-force devices, and internal parameters.

Once installed, the malware starts a local HTTP server, allowing future versions to kill running instances regardless of their name. It also creates a web server listening on all interfaces. “Sending back the IP address, username and password allows the attackers to do anything they want with the machine afterwards,” the researchers noted. “Together with the foul language used in the code, we think it is unlikely that this is just an invasive but innocent experiment or an unfortunate exercise in academic research.”

The trojan virus is unable to maintain persistence after a system is rebooted, however. Given that it sends back username and password information, the safest way to ensure server or device safety is to secure SSH credentials, or login details such as the server address, username and password, after a factory reset.

Image credit: Pixabay/Public Domain CC0.

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU

Cookies

We employ the use of cookies. Find out more.