Security Market Segment LS
Monday, 04 April 2016 10:42

Kaiten targets Linux routers, gateways, access points and now IoT


A new version of Kaiten is targeting Linux based routers, gateways, access points and the Internet of Things to mount DDoS attacks.

ESET says the new Kaiten - is an enhancement of Linux/Remaiten. It combines capabilities of two previous versions of bots and adds a unique spreading mechanism able to infect embedded IoT devices.

Kaiten is Internet Relay Chat (IRC)-controlled malware typically used to carry out distributed denial-of-service (DDoS) attacks. The remastered malware has been dubbed “KTN-Remastered” or “KTN-RM”, with three versions identified by ESET researchers. Based on artefacts in the code, the main feature of the malware is an improved spreading mechanism.

Based primarily on Linux/Gafgyt’s telnet scanning, KTN-RM improves on that spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices. Targeting is mainly aimed that devices with weak login credentials.

Linux/Remaiten improves upon the spreading mechanism by carrying downloader executables for CPU architectures that are commonly used in embedded ARM and MIPS Linux devices – the IoT (Internet of Things).

After logging on via the telnet prompt of the victim’s device, it tries to determine the new device platform and transfer only the appropriate downloader. This downloader’s job is to request the architecture-appropriate Linux/Remaiten bot binary from the bot’s C&C server. This binary is then executed on the new victim’s device, creating another bot for the malicious operators to use.

“The downloader’s job is to request the Linux/Remaiten bot binary from the Command & Control server for its current architecture. When executed, it also creates another bot for the malicious operators to use. We have seen this technique used before by Linux/Moose to spread infections,” says Michal Malík, ESET Malware Researcher.

In a strange twist, this strain of malware also has a message for those who might try to neutralize its threat.

"Within the welcome message, version 2.0 seems to single out which has published extensive details about Gafgyt, Tsunami and other members of this family of Malware," adds Malik. 

How to prevent and protect against this threat

  • Change default passwords on network equipment even if it is not reachable from the Internet.
  • Disable Telnet login and use SSH where possible
  • Run the latest firmware available from your embedded device vendor
  • Have an updated and appropriate anti-malware protection
  • Be aware of the malware threat and what it does to devices
  • If your device is infected, it might be used to infect others
  • If infected, reboot the affected device then change its password as soon as possible. However, the attackers may have had manual access so further infection may have happened. In that case, a factory reset, firmware update or reinstall and password change is probably best

Additional details about the Linux/Remaiten Bot can be found in a technical article by Michal Malik on ESET’s official security blog,


Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has high potential to be exposed to risk.

It only takes one awry email to expose an accounts payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 steps to improve your Business Cyber Security’ you will learn some simple steps you should be taking to prevent devastating malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you will learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Ray Shaw

joomla stats

Ray Shaw [email protected]  has a passion for IT ever since building his first computer in 1980. He is a qualified journalist, hosted a consumer IT based radio program on ABC radio for 10 years, has developed world leading software for the events industry and is smart enough to no longer own a retail computer store!



Recent Comments