14 DAY TRIAL // Malware coders have created a new DDoS bot called Remaiten that targets home routers running on common Linux architectures, which also shares a lot of similarities with other DDoS bots like Tsunami and Gafgyt.
Remaiten's mode of operation is a simple one. The authors of this bot use an automated system that scans for Internet-accessible routers and tries to access them via the Telnet port (23).
Remaiten looks like the brainchild of Tsunami and Gafgyt
If the port is open, their system will try out different basic admin username and password combinations. If the device hasn't been secured with strong and hard-to-guess credentials and was left with default factory settings, the device is accessed and infected with a simplistic malware.
This mode of operation is copied from the Gafgyt DDoS bot, which also works the same way. The difference from Gafgyt is that this first-stage malware, once on the device, will scan to detect the router's architecture and download the appropriate Remaiten bot.
At this stage, Gafgyt would have tried to download all the binaries it has, trying to run each one until a compatible one infected the device. By detecting the platform and downloading just one binary, Remaiten leaves minimal clues behind.
Attackers control Remaiten via the IRC protocol
Once the router is infected with Remaiten, the bot immediately registers with its C&C server. All communications are handled via the IRC (Internet Relay Chat) protocol, and the C&C server is an actual IRC channel.
The botnet's operator borrowed techniques from the Tsunami DDoS botnet, the same used in the famous Linux Mint hack, which also operates via IRC. Crooks can send commands to all bots via IRC private messages, instructing them to launch DDoS attacks on various targets, on desired ports.
Additionally, Remaiten also comes with functionality that removes any other bots from the same router, so it won't have to compete for the device's limited resources.
The ESET research team says that the Remaiten bot can target routers running on the MIPS, ARM, Power PC, and Super H architectures. At this point, the best advice to avoid getting infected with Remaiten is to disable Telnet access to the device and use strong passwords.