Rakos Malware Is Infecting Linux Servers And IoT Devices To Build Botnet Army


In addition to Mirai botnets, there is also Rakos botnet.


  1. Tomi Engdahl says:

    New Linux/Rakos threat: devices and servers under SSH scan (again)

    Apparently, frustrated users complain more often recently on various forums about their embedded devices being overloaded with computing and network tasks. What these particular posts have in common is the name of the process causing the problem. It is executed from a temporary directory and disguised as a part of the Java framework, namely “.javaxxx”. Additional names like “.swap” or “kworker” are also used. A few weeks ago, we discussed the recent Mirai incidents and Mirai-connected IoT security problems in The Hive Mind: When IoT devices go rogue and all that was written then still holds true.

    The Hive Mind: When IoT devices go rogue

    The Internet of Things (IoT) has been referred to by so many different names in the past year: The Internet of Terror, the Internet of Trash and a few other catchy monikers to account for the large amount of vulnerabilities present in new devices that are increasingly present in many homes.

  2. Tomi Engdahl says:

    Massive Attack from New “Leet Botnet” Reaches 650 Gbps

    New Leet Botnet Shows IoT Device Security Regulation May Become Necessary

    Just before Christmas, Imperva found its network under a massive DDoS assault that reached 650 Gbps (Gigabit per second), making it one of the largest known DDoS attacks on record.

    Powered by what Imperva is calling the Leet Botnet, the attack occurred on the morning of Dec. 21, and was delivered against several anycasted IPs on the Imperva Incapsula network.

    While precise device attribution is not yet possible, it seems likely that, like Mirai, it uses thousands of compromised IoT devices.

    “Due to IP spoofing, it’s hard to accurately identify the devices used in this attack,” Avishay Zawoznik, security research specialist for the Incapsula product line at Imperva, told SecurityWeek. “We did, however, find some reliable clues in the payload’s content. Here, manual analyses of individual payloads pointed to some type of Linux device. For instance, some were ‘stuffed’ with the details of the proc filesystem (/proc) folder, which is specific to Unix-like systems.”

    Hidden behind spoofed IP addresses, it was impossible to locate the geographical location of the attacking devices; but Imperva was able to analyze the content of the packets being used. Although similar in size to the Mirai attack on KrebsOnSecurity in October, it was immediately clear that this was different. (There have been some suggestions that the Mirai attack against DNS service provider Dyn could have exceeded 1 Tbps.)

    Leet’s name comes from a ‘signature’ within the packets. “In the TCP Options header of these packets, the values were arranged so they would spell ’1337′. To the uninitiated, this is leetspeak for ‘leet’, or ‘elite’,” notes Imperva.

    Two separate payloads were used: regular SYN packets (44 to 60 bytes), and abnormally large SYN packets (799 to 936 bytes). The content of the large packets was taken from the compromised devices and scrambled. The result is an inexhaustible supply of obfuscated and randomized payloads that can bypass any signature-based defenses that mitigate attacks by identifying similarities in packet content.

    There is no immediate solution beyond preparation as far as possible. “Organisations should be prepared to mitigate DDoS attacks and be prepared to get back up and running once the attack is over,” suggests F-Secure security advisor Sean Sullivan. “DDoS attacks cannot be prevented; being prepared to reduce downtime in the aftermath lessens the threat of DDoS. Extortionists will move on to weaker targets that are less prepared.”

    In the short term, warns Sullivan, “There’s little hope that networking and IoT equipment will become more secure, although ISPs could empower their security teams to run cleaner networks.”


Leave a Comment

Your email address will not be published. Required fields are marked *