Rakos malware infects Linux servers, IoT devices to build botnet


A recently discovered form of malware is spreading across Linux servers and Linux-powered Internet of Things devices, causing network congestion as it attempts to build a botnet.

Called Rakos, the malware is attacking vulnerable devices via brute-force Secure Socket Shell login attempts. Once it gains access, it then uses the infected machine to carry out more brute-force attacks on other devices, putting additional pressure on network resources.

According to researchers at security firm ESET spol. s r.o., the malware in its current form is harmless besides its strain on network resources. But that could easily change in the future given that it provides direct access to the hackers behind the malware to infected devices.

“The obvious aim of this trojan is to assemble a list of unsecured devices and to have an opportunity to create a botnet consisting of as many zombies as possible,” the company said in a blog post Tuesday.

Rakos, which is written in the Go language, was observed loading its configuration via standard input in YAML format with a configuration file that includes a list of command and control servers, the credentials that are used to brute-force devices, and internal parameters.

Once installed, the malware starts a local HTTP server, allowing future versions to kill running instances regardless of their name. It also creates a web server listening on all interfaces. “Sending back the IP address, username and password allows the attackers to do anything they want with the machine afterwards,” the researchers noted. “Together with the foul language used in the code, we think it is unlikely that this is just an invasive but innocent experiment or an unfortunate exercise in academic research.”

The trojan virus is unable to maintain persistence after a system is rebooted, however. Given that it sends back username and password information, the safest way to ensure server or device safety is to secure SSH credentials, or login details such as the server address, username and password, after a factory reset.

Image credit: Pixabay/Public Domain CC0.