New Kaiji malware targets IoT devices via SSH brute-force attacks

Researchers say the malware was coded by a Chinese developer for the sole purpose of launching DDoS attacks.
Written by Catalin Cimpanu, Contributor

Security researchers say they've discovered yet another strain of malware that was specifically built to infect Linux-based servers and smart Internet of Things (IoT) devices, and then abuse these systems to launch DDoS attacks.

Named Kaiji, this new malware was spotted last week by a security researcher named MalwareMustDie and the team at Intezer Labs.

The malware is very different from other IoT malware strains, primarily because it's written in the Go programming language, rather than C or C++, the two languages in which most IoT malware is coded these days.

Go malware is rare, not because it's not efficient, but because there are already so many C or C++ projects freely available on GitHub and hacking forums that make creating an IoT botnet a simple operation.

Very few IoT malware authors spend their time coding a botnet from scratch these days. In fact, the vast majority of IoT botnets are just a mix of different parts and modules taken from multiple strains, combined into new variations of the same old botnet codebases.

"The Internet of things (IoT) botnet ecosystem is relatively well-documented by security specialists," said Paul Litvak, a malware analyst at Intezer, who analyzed the code in a report published yesterday.

"It is not often that you see a botnet's tooling written from scratch."

Kaiji spreads via SSH brute-force attacks

According to both Litvak and MalwareMustDie, Kaiji has already been spotted in the wild, slowly spreading across the world, making new victims.

The Intezer researcher says that for the moment, the botnet is not capable of using exploits to infect unpatched devices. Instead, the Kaiji botnet executes brute-force attacks against IoT devices and Linux servers that have left their SSH port exposed on the internet.

Only the "root" account is targeted, Litvak says. The reason is that the botnet needs root access to infected devices in order to manipulate raw network packets for the DDoS attacks they want to carry out, and the other operations they want to carry out.

Once it gains access to a device's root account, Kaiji will use the device in three ways. First, for DDoS attacks. Second, to carry out more SSH brute-force attacks against other devices. Third, it steals any local SSH keys and spreads to other devices the root account has managed in the past.

Kaiji appears to be still under development

Litvak says that the botnet, despite having the capability to launch six different types of DDoS attacks, was clearly a work-in-progress.

The code lacked in features when compared to other more established botnets, contained the "demo" string in some places, and the rootkit module would often call itself too many times and exhaust the device's memory, leading to a crash.

Furthermore, the Kaiji command and control servers would often also go offline, leaving infected devices without any master server, and exposed to being hijacked by other botnets.

But while this botnet wasn't a threat now, it doesn't mean it won't be in the future. Both MalwareMustDie and Litvak are now tracking its evolution.

The two researchers also agree on the fact that the botnet appears to be the work of a Chinese developer, since many functions in the code, while written in English, were mere transliterations of Chinese terms.

Botnet fragmentation

Kaiji is now the latest IoT botnet to surface on the IoT malware scene, which in recent months has seen some interesting developments.

Gone are the days of botnets that infect more than 100,000 or 500,000 devices. Today, most IoT botnets rarely go over 15,000 - 20,000 infected devices, and those are only the successful ones.

Because of the prevalence of open-source botnet kits, there are now hundreds of botnets active on a daily basis, all fighting to infect and control the same number of IoT devices. As a result, the entire IoT botnet market is now fragmented and divided among a large number of smaller players.

Currently, one of the biggest botnets around is the Mozi botnet, which, according to a report from CenturyLink's Black Lotus Labs, had managed to infect more than 16,000 bots across the last four months.

Other notable recent botnets include the new Hoaxcalls IoT malware strain, Mukashi, and dark_nexus.

How zombie cameras took down Netflix... and an entire country's internet

Editorial standards