SafeUM
Home Blog Services Download Help About Recharge

Axarhöfði 14, 110 Reykjavik, Iceland

Iceland - 2015
SafeUM
Blog
Services
Download
Help
About
Recharge
Menu
Archive
TOP Security!
4 Jan 2017

Linux backdoor gives hackers full control over vulnerable devices

Security company ESET discovered a new form of malware that’s specifically targeting embedded Linux devices with the purpose of infecting them and providing hackers with full control, while also leaving the door open for a series of other dangerous tasks, including launching DDoS attacks.

Called Rakos, the new malware launches attacks at embedded devices and servers with an open SSH port and uses brute force attempts to crack the password.

ESET claims that Rakos creators want to infect as many systems as possible to create a botnet that could be then used for other malicious attacks, such as DDoS attacks and spam spreading. At first, attackers scan for vulnerable systems by analyzing pre-defined IP ranges, but given the fact that brute force attacks are being used to break in, only machines with very weak passwords are compromised.

Once access is obtained and the malware reaches the Linux device, Rakos starts a local HTTP service available at http://127.0.0.1:61314 with two different purposes.

“The first is as a cunning method for the future versions of the bot to kill the running instances regardless of their name by requesting http://127.0.0.1:61314/et; second, it tries to parse a URL query for parameters ‘ip’, ‘u’, ‘p’ by requesting http://127.0.0.1:61314/ex. The purpose of this /ex HTTP resource is still unclear at the time of writing and it seems not to be referenced elsewhere in the code,” ESET says.

The malware automatically scans for and collects information that is then submitted to a C&C server, including here IP address, usernames and passwords. A configuration file that’s stored locally makes it possible for the backdoor to upgrade this file with new tasks, but also to upgrade its own files should the attacker develop a more advanced version in the future.

How to remove a Rakos infection

It’s important to emphasize that complex SSH passwords are nearly impossible to crack by this malware and attackers are mostly looking for Linux devices using weak passwords.

But if for some reason your embedded device got infected, you need to connect to it using SSH/Telnet and look for a process called .javaxxx. Make sure that it’s being used for unwanted connections and then kill the process.

Rebooting the computer also kills the process and the backdoor isn’t yet configured to automatically restart, but in most of the cases, the device will be compromised again after that. Secure SSH credentials are absolutely mandatory to remain protected against Rakos, and ESET says that the number of attacks involving this backdoor is on the rise these days.

Tags:
Linux information leaks
Source:
Softpedia
1870
Other NEWS
3 Jul 2020 safeum news imgage An encrypted messaging service has been infiltrated by police
4 May 2020 safeum news imgage Two-Factor Authentication ​What Is It and Why You Should Use It
12 Dec 2019 safeum news imgage Encryption is under threat - this is how it affects you
4 Nov 2019 safeum news imgage Should Big Decisions Be Based on Data or Your Intuition?
7 Jun 2018 safeum news imgage VPNFilter malware infecting 500,000 devices is worse than we thought
4 Jun 2018 safeum news imgage Hackers target Booking.com in criminal bid to steal hundreds of thousands from customers
1 Jun 2018 safeum news imgage Operator of World's Top Internet Hub Sues German Spy Agency
30 May 2018 safeum news imgage US says North Korea behind malware attacks
29 May 2018 safeum news imgage Facebook and Google targeted as first GDPR complaints filed
25 May 2018 safeum news imgage A new reason to not buy these cheap Android devices
24 May 2018 safeum news imgage Flaws in smart pet devices, apps could come back to bite owners
23 May 2018 safeum news imgage Google sued for 'clandestine tracking' of 4.4m UK iPhone users' browsing data
21 May 2018 safeum news imgage LocationSmart reportedly leaked phone location data onto the web
18 May 2018 safeum news imgage The SEC created its own scammy ICO to teach investors a lesson
17 May 2018 safeum news imgage Thieves suck millions out of Mexican banks in transfer heist
All news
SafeUM
Confidential Terms of Use Our technologies Company
Follow us
Download
SafeUM © Safe Universal Messenger

Axarhöfði 14,
110 Reykjavik, Iceland

Iceland - 2015