Linux/IRCTelnet

Discovered in October 2016 by MalwareMustDie!, a white-hat security research group, Linux/IRCTelnet is an Internet Relay Chat (IRC) botnet that was created using ELF (Executable and Linkable Format) binaries, a common file format for Linux and UNIX-based systems. This format is used in the firmware of many IoT devices including routers, DVRs, and IP cameras. In the samples they studied, the research group noted that Linux/IRCTelnet targets IoT devices and compromises them via the telnet protocol. Much like Mirai, this botnet exploits default and hardcoded credentials or uses brute-force techniques to compromise the Linux-based devices. They also determined that Linux/IRCTelnet is actively using the Mirai botnet’s leaked IoT credentials list. It also emulates the Bashlight botnet in its telnet-scanning capabilities. Despite the similarities to these botnets, the research group has determined that Linux/IRCTelnet was built from the source code of the Aidra botnet.

Linux/IRCTelnet is capable of conducting UDP and TCP flood DDoS attacks against both IPv4 and IPv6 addresses and it has already infected nearly 3,500 devices in just five days. Fortunately, the malware powering this botnet does not maintain persistence in infected devices so, as soon as the devices are rebooted, the malware is removed. However, if these vulnerable devices are not secured immediately after reboot, they remain at high risk for reinfection. A detailed analysis of the Linux/IRCTelnet botnet can be found on the MalwareMustDie! Blog.