Linux/IRCTelnet is a new strain of Internet of Things malware that borrows its password-guessing routines from Mirai, the malware that helped take down Paypal, Netflix and Twitter, and adds them to the scanning routines from a newer IoT bot called Bashlight.
The resulting malware can find vulnerable hosts faster, and take them over more frequently, than either of its two parent strains, and that's how it spread to 3,500 hosts in five days (if this seems like a small number, recall that this kind of malware spreads exponentially, taking a long time to ramp up to enough hosts to scan enough of the internet to find more, and then it takes off very quickly).
The only good news is that Linux/IRCTelnet lacks persistence, meaning that once infected devices are rebooted, the infection disappears. The rest of the news -- including the fact that infected devices can go years between reboots and will be quickly reinfected in any event -- is very bad.
Like most IoT bots, Linux/IRCTelnet doesn't have what malware experts refer to as persistence. That means that compromised devices are disinfected as soon as they're restarted. Still, unless the rebooted devices are properly secured—by, for instance changing the default login credentials or disabling telnet connections—they are likely to be infected all over again. Once a device is infected, its IP address is stored so the botnet operator can re-infect it if it suddenly loses contact with the command and control channel.
A recent volley of DDoS attacks launched from infected IoT devices has opened a troubling chapter for the Internet because the assaults are capable of delivering malicious data in volumes that were almost unimaginable just a few years ago. Linux/IRCTelnet is likely only the beginning of what could be a long line of next-generation malware that steadily improves its capabilities. The proliferation of Internet-connected devices that by default are defenseless against these threats is bad news, indeed.
New, more-powerful IoT botnet infects 3,500 devices in 5 days
[Dan Goodin/Ars Technica]