Problems Reappear for IoT Devices Owners with Discovery of New DDoS Trojan

Share this…

Security researchers discovers IRCTelnet malware. A new malware family written by what appears to be an experienced coder is aiming for Linux-based IoT devices, with the main purpose of adding those devices to a botnet and carrying out DDoS attacks.

Discovered by security researcher MalwareMustDie, this new malware family is named Linux/IRCTelnet and is written in C++.

The researcher says the malware works by infecting Linux-based devices that expose Telnet ports to the Internet and use weak passwords.

IRCTelnet borrows from other IoT malware

IRCTelnet brute-forces a device’s Telnet ports, infects the equipment’s OS, and adds it to a botnet that’s controlled through IRC. This means that every infected bot connects to an IRC channel, and reads commands posted in the main chatroom.

The concept is not new by any stretch of the imagination, with many IoT, Linux, and Windows malware operating in the same way.

MalwareMustDie says IRCTelnet takes a lot of inspiration from other IoT malware. The concept of using IRC for managing the bots is obviously borrowed from Kaiten, the malware that had the most success with it.


Similarly, the Telnet scanner and brute-forcing system is borrowed from GafGyt (also known as Torlus, Lizkebab, Bashlite, or Bashdoor), while the list of default Telnet credentials is taken from the more recent Mirai malware.

IRCTelnet has support for IPv6 floods

MalwareMustDie says this malware is capable of infecting any device running a Linux Kernel version 2.6.32 or above.

Support is included for launching DDoS attacks with spoofed IPv4 and IPv6 addresses, but the Telnet scanner can only find and brute-force IPs via IPv4.

MalwareMustDie says that there are multiple places in the malware’s source code where its author had used the Italian language, more to be than just a random copy-paste.

Botnet currently has only 3,400 bots

Detection rate on VirusTotal is currently low, with very few vendors identifying it as a standalone malware, and not some sort of GafGyt clone.

MalwareMustDie reports that initial scans that spread this malware came from IPs located in Turkey, Moldova, and the Philippines.

When he connected to the botnet’s IRC channel, he says he found around 3,400 bots.