Building botnets made up of routers, modems, wireless access points and other networking devices doesn’t require sophisticated exploits. Remaiten, a new worm that infects embedded systems, spreads by taking advantage of weak Telnet passwords.
Remaiten is the latest incarnation of distributed denial-of-service Linux bots designed for embedded architectures. Its authors actually call it KTN-Remastered, where KTN most likely stands for a known Linux bot called Kaiten.
When scanning for new victims, Remaiten tries to connect to random IP addresses on port 23 (Telnet) and if the connection is successful, it attempts to authenticate using username and password combinations from a list of commonly used credentials, researchers from ESET said in a blog post.
If the authentication succeeds, the bot executes several commands to determine the system’s architecture. It then transfers a small downloader program compiled for that architecture that proceeds to download the full bot from a command-and-control server.
The malware has versions for mips, mipsel, armeabi and armebeabi. Once installed it connects to an IRC (Internet Relay Chat) channel and waits for commands from attackers.
The bot supports a variety of commands for launching different types of denial-of-service attacks. It can also scan for competing DDoS bots on the same system and uninstall them.
It’s surprising that many networking devices still use Telnet for remote management, instead of the more secure SSH protocol. It’s also unfortunate that many devices ship with Telnet service open by default.
Device owners should use one of the many free online port scanning tools to check if their router has port 23 open and should try to shut down the Telnet service from the device’s Web-based administration interface. Unfortunately many gateway devices provided by ISPs to their customers don’t give users full access to the management features.