New threat, old malware

After the recent major DDoS attacks on large entities such as KrebsOnSecurity and DYN by the Mirai botnet, a known threat on IoT devices, IRCTelnet, has returned and is a big concern for both users and researchers alike as it could prove to be just as far-reaching as the recent DDoS attacks.

IRCTelnet, also known as New Aidra, was discovered by security researcher unixfreaxjp, and was found to have functions taken from the code of other known malware such as kaiten, Bashlite, and Mirai with the majority coming from Aidra, hence the AKA “New Aidra”. A curious point about this malware is that I is completely IPv6 ready – unlike most of the security products out there.”

Aidra malware was first discovered on 2013, and to date has not been reported in relationship to any large-scale DDoS attacks.

The distribution of IRCTelnet can be found by scanning over Telnet ports and brute-forcing the detected IoT devices using a table of common factory default usernames and passwords. Throughout the infection process and after it, the command and control communication is to an IRC server.

IRCTelnet has infected close to 3500 devices to date, but has yet to be reported in a DDoS attack.

ThreatSTOP customers are protected from having their devices participate in DDoS attacks that are carried out by Mirai if they have TS Critical and TS Critical Domains targets configured in their policies.

If you’re not a ThreatSTOP customer, it’s probably time to give us a call 1-855-958-7867, www.threatstop.com.

Share this: