Security Architecture, Endpoint/Device Security, IoT, Network Security, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Remaiten Linux bot combines malware features to target weak credentials

ESET researchers have spotted a new variant of malware, dubbed Remaiten, which combines different features from other families of malware and uses a unique method of distribution.

The Linux bot performs telnet scans, which are user command and an underlying TCP/IP protocol for accessing remote computers, to search for embedded systems including routers, gateways, wireless access points, and potentially internet of thing devices (IoT) that use default or weak credentials, ESET Malware Researcher Marc-Étienne Léveillé told

Once a vulnerable device is found, Remaiten will send a small executable file, dubbed the Remaiten downloader, to the remote device via telnet to fetch the full Remaiten IRC bot malware from the remote command and control server, Léveillé said.

He said there are multiple downloaders inside the bot to accommodate the different architectures of embedded devices and the correct bot will push automatically.  

Léveillé said it is unclear why the malware uses this method, but said it is likely to maximize infection success.

The Remaiten is a variant of the Kaiten bot, also known as Tsunami, and combines features of the Gafgyt bot, according to a March 30 ESET blog post.

Once a user's device is infected the bot can be used to launch denial-of-service denial of service attacks or  download other variants of malware.  

Léveillé said users can protect themselves from the these kind of attacks by using strong credentials and vendors can help prevent these type of infections by not using default credentials in their products and requiring users to have strong credentials.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.