The new IoT malware is built to target Linux-based servers and connected devices to launch DDoS attacks, and was coded by Chinese attackers.
Kaiji IoT Malware Quite Different Than Other Strains
According to the researchers, Kaiji hasn’t much to do with other IoT malware strains, as it is written in the Golang programming language. The two most deployed languages in the creation of such malware are C and C++.
Malware based on the Golang language is effective but it is rare, because there is an abundance of ready C and C++ projects available on both GitHub and forums dedicated to hacking. These ease the process of creating IoT botnets, and there are a very few IoT malware writers that code from scratch. In truth, most IoT botnets nowadays are scraped from various existing strains.
Kaiji is already spreading across the Internet
The Kaiji malware has already been seen in the wild, say security researchers. The malware is spreading slowly, affecting new devices and turning them into zombies. In order to spread, Kaiji is using brute-force attack techniques, rather than using exploits to infect vulnerable devices. Linux servers with an exposed SSH port are especially at risk.
It should be noted that the malware specifically targets the root account of the device. This is done so that the malware operators can manipulate raw network packets for DDoS attacks. Once root access is obtained, Kaiji can carry out three malicious scenarios – DDoS attacks, SSH brute-force attacks against other devices, or stealing local SSH keys to spread to more devices the root account has previously managed. More specifically, it appears that the malware can launch six different types of DDoS attacks.
Despite its sufficient capabilities, Kaiji appears to be still in development, as the code contains the “demo” string, and the rootkit module would call itself too many times, leading to the device’s memory exhaustion and a crash.
Furthermore, Kaiji’s command and control servers seem unstable, going offline and leaving the infected devices without a master server. These issues the malware is currently having will most likely be fixed in the future, and security researchers will continue monitoring the malware’s evolution.