TechNewly Discovered Worm Threatening Linux Devices

Newly Discovered Worm Threatening Linux Devices

NEW WORM ON THE BLOCK

Based on Mirai malware, self-replicating ⁤NoaBot installs cryptomining app on infected devices.

Author:
Dan Goodin – Jan 10, 2024 4:12 pm UTC

Linux devices are‍ under attack by a never-before-seen worm
Getty Images

For the past year, previously unknown self-replicating malware has been compromising Linux devices around the world and⁢ installing cryptomining malware‌ that takes unusual steps‍ to conceal its inner workings, researchers said.
The worm is a customized⁣ version of Mirai, the botnet malware ‍that‍ infects Linux-based servers, routers, Web cameras, and other so-called Internet-of-things ​devices. Mirai came to light ⁤in 2016 when it was used to deliver record-setting distributed denial-of-service attacks that paralyzed key parts of ⁢the Internet that year. The creators soon released the underlying source code, a move that allowed a wide array of crime groups from around the world to incorporate Mirai into their own attack campaigns. ‌Once taking hold of a Linux device, Mirai‍ uses it as a platform to​ infect other vulnerable devices, a design that makes it a worm, meaning it self-replicates.

Dime-a-dozen malware with a twist
Traditionally,‌ Mirai and‍ its many variants⁣ have spread when one infected device scans the Internet looking for other devices⁣ that⁤ accept Telnet connections. The infected devices then attempt‌ to crack the telnet password⁢ by guessing default and commonly used credential pairs. ⁢When successful, the newly infected devices target additional devices, using the same technique.⁢ Mirai has primarily been ⁤used to⁣ wage DDoSes. Given the large amounts of bandwidth available to many such devices, the floods of junk traffic are ⁤often​ huge, ⁢giving the botnet ‌as a whole tremendous power.
On Wednesday, researchers from network⁢ security and reliability firm Akamai revealed that a previously unknown Mirai-based network⁤ they dubbed NoaBot has been targeting Linux ‌devices since at least last January.​ Instead of targeting weak telnet passwords, the NoaBot targets ⁣weak⁣ passwords connecting SSH connections. Another twist: Rather than performing DDoSes, the new botnet installs cryptocurrency mining software, which​ allows the attackers to generate digital coins ‍using victims’ computing resources, electricity, and bandwidth. The cryptominer is a modified​ version of‍ XMRig, another piece of open source malware. More recently, NoaBot has been used to also deliver P2PInfect, a separate worm researchers from Palo Alto Networks revealed last July.

Akamai ⁤has​ been monitoring NoaBot for the past 12 months in a honeypot that mimics ​real Linux devices to ⁣track various attacks circulating ‌in the wild. To date, attacks have originated from 849 distinct IP addresses, almost all of which are likely hosting a device that’s already infected. ⁣The following figure tracks the number of attacks delivered to⁤ the honeypot over the past year.

Enlarge ⁢/ Noabot malware activity ⁣over time.
“On the surface, NoaBot isn’t a very sophisticated campaign—it’s ‘just’ ⁤a Mirai variant and an XMRig cryptominer, and they’re a dime a dozen nowadays,” Akamai Senior Security Researcher Stiv Kupchik‍ wrote in a report Wednesday. »⁤ … Read More

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe Today

GET EXCLUSIVE FULL ACCESS TO PREMIUM CONTENT

SUPPORT NONPROFIT JOURNALISM

EXPERT ANALYSIS OF AND EMERGING TRENDS IN CHILD WELFARE AND JUVENILE JUSTICE

TOPICAL VIDEO WEBINARS

Get unlimited access to our EXCLUSIVE Content and our archive of subscriber stories.

Exclusive content

Latest article

More article