The New Kaiji Malware Targeting IoT And Linux Servers
“Kaiji” is a fairly new malware botnet which has been around since April 2019. It has been infiltrating Linux systems and IoT devices by means of SSH techniques as well as brute force attacks into these system grids.
This malware mainly targets the weakened SSH services with poor configurations and forces its way into the system. It is also known to target and attack the root user by taking over custom network packets available only to the root users using Linux-based servers.
This malware is believed to be of Chinese origin and is written in the native Golang programming language. The custom implant used by this botnet makes it distinctive, as opposed to open source or blackmarket toolsets more commonly used.
The Golang Programming Language
Golang or ‘Go’ is a programming language that is known for its crisp and straightforward structure. It is also identified to be extremely reliable. Numerous distributed systems make use of this language to run interdependent programs. The significant advantage of his language is that it is concise and easy to understand. It is also known to be incredibly adaptive as it provides support for multiple interfaces.
Even though it is not typical for malware to be written in this language, Kaiji was coded in Golang and it seems to be wreaking significant damage. Cybersecurity experts believe that it is a growing trend for online criminals to choose this language over more common choices for IoT attacks such as C and C++.
All About The SSH Protocol
The SSH protocol is used to secure the process of logging in remotely from one system to another. There are various options provided by the SSH protocol for robust authentication and integrity of communications with high-end encryption strategies. This protocol is typically used as a more viable alternative to the conventional login protocols, which offer less protection.
Even though this method provides secure access to the people who use it, most people forget to change the default settings. This is one of the main reasons behind the infiltration of Kaiji. It is indeed a lot safer than an ordinary Telnet, but it fails when the root users are targeted.
The malware mainly focuses on the weak points of SSH - such as poor configuration. It is essential to close these SSH service ports by default, and manual opening must be done by the user when required.
How Kaiji Spreads
As mentioned, this botnet spreads mainly by targeting the SSH ports. As a first step of the infiltration process, the environment for this botnet is facilitated by executing a bash script. This is followed by the creation of a directory in which the malware is installed.
Some of the common names under which Kaiji is installed are ‘ps,’ ‘netstat’ and others. Next comes the bruteforcer module that aids the spread of this malware. It also has the ability to connect back to previously connected or known hosts and continue to spread. There are 13 goroutines which aid the initial implant, many of which are named as English versions of Chinese words. Separate goroutines are used in each and every instance of the operation.
Some attacks that are associated with this malware include IPSpoof, SYNACK, ACK, and SYN. In most cases, the attacks primarily target the root user and then manipulate all the possible network packets. This is followed by a swarm of DDoS attacks on all the connected systems. This spread is carried forward by collecting locally available SSH keys and then connecting back to other devices via the root.
Defence Against This Malware
One of the main actions that can be performed is by securing SSH ports and editing the default settings. All the IoT devices that are connected must be protected with strong passwords, preferably multifactor authentication.
Users can also add an extra layer of security by using top-notch antivirus software like Norton and Kaspersky that offer VPN and advanced firewall features. This will help prevent attacks as all incoming and outgoing data packets will be encrypted at the root level.
There are antivirus systems like Bitdefender IoT Security Platform available in the market that can identify irregular behavior using heuristic monitoring, anomaly detection, and real-time data-packet scanning to mitigate any DDoS and brute force attacks.
Even though this new strain of malware sounds threatening, it is not impossible to take necessary precautions and stay one step ahead of an attack. Deploying multi-layered and cross-platform antivirus software can help in preventing these botnet attacks to a great extent. Additionally, always use complex passwords, firewalls, as well as VPN for an added layer of security.