Security company ESET discovered a new form of malware that’s specifically targeting embedded Linux devices with the purpose of infecting them and providing hackers with full control, while also leaving the door open for a series of other dangerous tasks, including launching DDoS attacks.
Called Rakos, the new malware launches attacks at embedded devices and servers with an open SSH port and uses brute force attempts to crack the password.
ESET claims that Rakos creators want to infect as many systems as possible to create a botnet that could be then used for other malicious attacks, such as DDoS attacks and spam spreading. At first, attackers scan for vulnerable systems by analyzing pre-defined IP ranges, but given the fact that brute force attacks are being used to break in, only machines with very weak passwords are compromised.
Once access is obtained and the malware reaches the Linux device, Rakos starts a local HTTP service available at http://127.0.0.1:61314 with two different purposes.
“The first is as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters ‘ip’, ‘u’, ‘p’ by requesting http://127.0.0.1:61314/ex. The purpose of this /ex HTTP resource is still unclear at the time of writing and it seems not to be referenced elsewhere in the code,” ESET says.
The malware automatically scans for and collects information that is then submitted to a C&C server, including here IP address, usernames and passwords. A configuration file that’s stored locally makes it possible for the backdoor to upgrade this file with new tasks, but also to upgrade its own files should the attacker develop a more advanced version in the future.
How to remove a Rakos infection
It’s important to emphasize that complex SSH passwords are nearly impossible to crack by this malware and attackers are mostly looking for Linux devices using weak passwords.
But if for some reason your embedded device got infected, you need to connect to it using SSH/Telnet and look for a process called .javaxxx. Make sure that it’s being used for unwanted connections and then kill the process.
Rebooting the computer also kills the process and the backdoor isn’t yet configured to automatically restart, but in most of the cases, the device will be compromised again after that. Secure SSH credentials are absolutely mandatory to remain protected against Rakos, and ESET says that the number of attacks involving this backdoor is on the rise these days.
