Kaiji is a new IoT malware botnet written in Golang from scratch that searches for poorly configured SSH services and brute-forces its way in. But even if it’s a new strand of malware, a powerful security solution can still pick up its nefarious behavior and intercept it on the way.
Despite all the colorful names used to identify new IoT bots, many are based on existing variants. The infamous Mirai malware was extremely active back in 2016, and bad actors used it to deploy massive attacks.Eventually, its source code was made public, which led to the development of numerous variants. But here comes Kaiji, written from scratch, and in Golang no less. It’s not typical malware, as it takes advantage of Go’s minimalistic and straightforward structure.
The reason why Kaiji is interesting is that writing something like this takes time and resources, investments that usually don’t interest criminals. Why bother writing a new piece of malware when source code is already available? Mirai’s source code was used in Miori, Wicked, Okiru, and many others, proof that the initial build could be expanded in novel ways, without having to develop something from scratch.
SSH brute forcing used again and again
Researchers from MalwareMustDie, who found the malware, say it’s Chinese in origin, and it’s targeting IoT devices with opened SSH ports.
SSH is a very handy and secure protocol used to connect to any device connected to a network remotely. It’s safer than Telnet, but it’s also a lot more powerful, especially for root users. The simple fact that criminals are using it in brute force attacks is not that surprising.
Unfortunately, such attacks are possible either because the makers of IoT devices were careless or because of a user’s misconfiguration. Typically, the SSH service should be disabled by default, and users need to open it for incoming connections manually. Some device manufacturers choose, for one reason or another, to leave it On by default, with the 22 port open.
Worse still, all SSH connections are secured with user names and passwords, but not everyone bothers to change the default settings. The result is tragic, as there are countless online-connected devices, with open ports, just waiting to be found and compromised by malware such as Kaiji.
The malware tries to brute force the root user, which is usually done using common combinations of user names and passwords. For example, if the user has a device running OpenElec (a Linux distribution), the default root credentials are “root/openelec”. The root user has complete control over the machine, with full rights.
As the Intezer analysis of the malware revealed, if the attack succeeds with the user name and password combination, it executes a bash script, creates a new directory under /usr/bin/lib directory and the final package is installed under different names, such as netstat, LS, etc.
The malware itself comes with a total of 13 routines that perform various tasks such as contacting the command and control center, DDoS instructions, C2 servers replacement, DDoS rootkit (connect to known hosts through existing SSH RSA keys or IPs), a few persistence tools, and others.
The researchers also note that at least one of the tools is incomplete and causes the malware to invoke itself too many times, occupying too much RAM. Also, the main command and control center was online only for a couple of weeks then went offline, leading the researchers to believe Kaiji is still under development.
‘New’ doesn’t mean undetectable
While new malware is more challenging to detect, modern security solutions can use other methods to detect IoT botnets, especially when looking at their behavior. IoT malware tries various methods to compromise endpoints, and the network noise generated is usually enough to trigger detection, but only when security solutions are present.
That’s the approach we use in our solution for securing connected homes - Bitdefender IoT Security Platform implements multiple technologies designed specifically for this task. First of all, Kaiji uses an SSH brute force attack, and Bitdefender’s Brute Force Protection module stops it.
The problem with some IoT devices is that they still use the default user names and passwords for SSH authentication, so Kaiji might be able to log in on the very first attempt without triggering the brute force protection.
In that case, another module named Anomaly Detection uses machine learning to check against the pattern of usual device behavior. Anything that strays from the routine, such as connecting from a new IP in the case of a botnet, triggers the protection and keeps users safe, even from an unknown assailant.
The best way to protect home networks and devices is now through the ISP itself, because they have the power to protect millions of households all at once. With the help of the Bitdefender IoT Security Platform ISPs can deploy these technologies directly into their existing routers.
Bitdefender IoT Security Platform also protects ISPs by safeguarding their equipment and network, decreasing support costs, and increasing customer retention. Even when new threats like Kaiji comes along, the right security solution makes all the difference.