As is the case with the Mirai malware, that was leaked on the Internet recently, Linux/IRCTelnet targets IoT devices that have not had their default usernames and passwords changed, and logs in to such devices using the telnet protocol.
Practically all routers, security cameras and other devices that can be connected to the Internet use Linux because of its design and cost.
Mirai was used in the recent attack on domain name services provider Dynamic Network Services that affected the functioning of a number of big-name websites like Twitter and Netflix.
He found many Italian language references in hardcoded messages in the botnet, which he said was very fast in scanning for vulnerable devices.
"It handles three or more 'scan' requests at the same time on different segments of the IP network, and these are what I saw in only a few seconds; scanning progress is overlapping each other seeking for telnet services," unixfreakjp wrote in a very detailed technical analysis that is well worth reading.
He said Linux/IRCTelnet had no persistent autostart or rootkit or anything that could damage the device it had taken over. "This malware variant can be easily removed by rebooting the infected device. But if you don't secure the telnet after reboot, it will come to infect you again," he wrote.