Remaiten is a New DDoS Bot Targeting Routers based on Linux
Sophisticated exploits are not required for making botnets with modems, wireless access points, routers, as well as with other devices of networking. Remaiten, a new worm infecting embedded systems, increases due to weak passwords of Telnet.
Remaiten is the latest personification of distributed denial-of-service Linux bots, which are intended for embedded architectures. It was in fact called KTN-Remastered by its authors, where KTN in all probability referred to a well-known Linux bot known as Kaiten.
Informationsecuritybuzz.com posted on April 1st, 2016, stating that KTN-RM based mainly on telnet scanning of Linux/Gafgyt, and improves on that spreading system by carrying downloader executable binaries for embedded platforms, like routers as well as various connected devices, targeting primarily those having weak login credentials.
Whenever there is an open port, their system will experiment with various combinations of admin username and password. If the device has not been protected with a strong and difficult (not easy to guess) credentials, and only depends on the default factory settings, it is accessed and then infected by a simple malware.
The bot executes many commands to determine the architecture of the system, whenever the verification succeeds. It then transfers a small downloader program compiled for that architecture, which proceeds to download the full bot from a command-and-control server. This method of operation is imitated from Gafgyt DDoS bot, which too works in the same manner. The dissimilarity from the Gafgyt is this 1st-stage malware when installed on device, will scan to spot the architecture of the router and download the suitable Remaiten bot.
Moreover, Remaiten also have functionality such as removing every other bots belonging to same router and hence, it won't need to compete with the limited resources of the device. As per the research team of ESET, Remaiten bot could target routers that are running on ARM, MIPS, Power PC and Super H architectures. At this point, it is advisable to disable access of Telnet to the device, along with usage of strong passwords for avoiding infection to your device with Remaiten.
It is surprising that several networking devices still use Telnet for remote management, instead of more secure SSH protocol. It is also unfortunate that several devices ship with Telnet service open by default. Sadly, lot of gateway devices provided by ISPs to their customers does not allow users full access to the management features.
» SPAMfighter News - 4/7/2016