The Internet of Things (IoT) is the latest technological wave to have affected the manner human beings interact with their physical environment. Wikipedia states that IoT is a network infrastructure of individual computing devices which may include common devices such as computers, laptops, smartphones, smart-wear, smart TV to not so common devices as the heart monitoring implants, biochip transponders on farm animals or cars with built-in sensors. By 2020, the number of IoT devices is expected to outnumber the total number of smartphones, PCs, tablets and similar devices combined. Certainly, IoT is the next big thing arriving!
As the level of human diffusion with Internet devices increases, so does the demand for security for the whole ecosystem, which has, unfortunately not been given too much importance. The result is that we are having encounters with new types of cyber threats that hackers are employing. And such attacks are not happening on our PCs and smartphones, which we often protect with an antivirus program. Routers and similar internet gateways and access points are the weakest link in our network, and hackers are targeting such points due to the many vulnerabilities they possess.
Recently, researchers at ESET discovered a malware that they named Linux/Remaiten, which targets embedded systems like routers, gateways and access points. This malware is a combination of the Tsunami (or Kaiten) and Gafgyt, but improves upon the individual capabilities of both of them. So far, researchers have discovered three versions of this code, and based on their findings, they named the new malware “KTN-Remastered” or KTN-RM.
Tsunami is mainly used for DDoS attacks which could compromise all the end points in the network, while Linux/Gafgyt is notoriously known for its tele scanning process. When instructed to do so, the malware tries to establish connection to random IP addresses it has access to. Upon a successful connection, it attempts to log in by guessing the login credentials from its embedded list and then issues bot executables for multiple architectures and runs them. What KTN-RM improves upon this is that it only transfers the appropriate downloader, which may be small ELF executables for determining the platform of the new victim. This is because KTN-RM carries in its binary structure downloader executables for multiple platforms, similar to embedded Linux systems such as ARM. This downloader executes the appropriate bot binary on the victim device and creates another bot to spread itself. Hence, it proves to me more efficient and less noisy than Gafgyt.
So essentially, these malware force themselves into networks because of the vulnerabilities in the security of routers, through which they gain access to the complete network. It is more logical and easier than hacking to individual devices, because security in routers is often ignored by companies as well as users. Most manufacturers fix the vulnerabilities but no one cares to update their firmware- not the user neither the ISP. And this is quite evident from 2015 that had recorded the highest number of attacks on routers.