Researchers found a new type of malware, known as Rakos, attacking embedded Linux systems with the goal of assembling a large botnet. The attack method used by Rakos is similar to that of the Mirai internet of things botnet. How does Rakos attack these embedded Linux systems? What can enterprises do to secure them?
Embedded security has been a growing problem over the last ten years, and it is getting exponentially worse with internet of things (IoT) malware like the Mirai and Hajime worms, and now, Rakos Linux malware.
Rakos attacks embedded Linux systems using methods similar to those used by the Moose worm, where it tries to brute force the login credentials via SSH on vulnerable devices. When a vulnerable device is found, the malware transfers the malicious binary to the target system and downloads the configuration file that lists the command-and-control (C&C) servers. The malicious binary starts a web server to accept commands from remote systems. The C&C connection can be used to update the malicious binary and the configuration file.
To remove the malware, the running process needs to be killed or the device rebooted, as the malware doesn’t have functionality for persistence.
Submitted by: Arnfried Walbrecht