In January 2012, security researchers at ATMA.ES reported witnessing a large number of Telnet attacks originating from home internet routers, internet-connected televisions, cable set-top boxes, DVRs, VoIP devices, IP cameras, and media centers. They determined that these attacks stemmed from a botnet. Dubbed “Lightaidra” by its author and “Aidra” by researchers, this botnet targets ARM-based devices running Linux. It can also be compiled for MIPS, MIPSel, PPC, x86/x86-64, and SuperH architectures. Further investigation revealed that the author of this botnet, Federico Fazzi – a self-described security analyst from Italy – posted a link via his Twitter account advertising what he called the “Lightaidra 0x2012 IRC-based mass router scanner exploit.” (His original Twitter post can still be viewed here but his link to the botnet code is no longer active.) Aidra requires two servers to operate – one to host the binaries used to infect vulnerable devices and an IRC server to issue commands to the botnet. Once Aidra locates a vulnerable Linux-based device, it downloads and runs all of the binaries in its libraries until the binary that matches the architecture executes. Once this step is complete, Aidra establishes a connection to the IRC C2 server and awaits further instructions from the attacker. Aidra’s primary functions include scanning for additional vulnerable devices to infect and performing DDoS attacks. It can also execute various commands on infected devices. In January 2014, ATMA.ES researchers discovered a modified version of Aidra that used the processing power on infected devices to mine Bitcoin.
Since Aidra does not maintain persistence, rebooting the infected device should clean the infection. After rebooting, either disable Telnet on the device or set a strong password for it. Additional information about Aidra can be found on the ProtectYourNet blog, and at ATMA.ES.