Friday, 23 December 2016

Rakos Malware To Build Botnet Army

Rakos is a new malware detected recently which attacks vulnerable devices via brute force to SSH login attempts.It is a common method found in various linux threats.This program targets both embedded devices and servers which has open SSH port. It preys on their weak credentials with a purpose of building a large botnet.This malicious program is written in Go language and has a binary compressed with standard UPX tool.

Another malware was also recently found named Mirai which is an Internet of things botnet which searches for less secure devices and it has attacked many systems successfully in 164 countries.The difference between Mirai and Rakos is that mirai targets telnet ports instead of SSH.

The malware searches for a limited set of IPs and spreads it incrementally to more targets.Rakos keeps sending details of host machine to its command and control [C&C] centers from time to time.The Rakos is not yet capable of Distributed Denial Of Service[DDoS],but researchers believe that it might receive such capability because of its level of control over infected devices.
When the malware is able to access a device with its credentials it runs two commands (id, uname -m). Then the malicious code checks whether if it is possible to upload to the new victim and goes on.
The backdoor is able to update the configuration file (from https://{C&C}/upgrade/vars.yaml) and also to upgrade itself.

The devices with strong password are not safe too.To secure the devices change the default password.
The malware doesn't feature persistence capabilities,but rebooted devices can be attacked and compromised repeatedly.The effected users should connect to SSH/telnet and search for a process named .javaxxx and verify it is an unwanted connection and kill it.To avoid future problems the SSH credentials should be well protected.


Post a Comment