Malware analysis

Kaiji malware: What it is, how it works and how to prevent it | Malware spotlight

Introduction

Trend Micro recently reported that they have detected variants of two existing Linux OS botnet malware types, known as XORDDoS malware, that targeted exposed Docker servers. The names of these two variants are “DDoS.Linux.KAIJI.A” and “Backdoor.Linux.XORDDoS.AE”.

These malware variants pave the way for a Distributed Denial of Service (DDoS) attack. The DDoS attack can disrupt, disable or shut down a service, website or a network. This is done by crashing or flooding the website with too much traffic, resulting in overwhelming a website or network with more traffic than they can accommodate.

In this article, we will shed some light on the Kaiji malware, including how it works and what preventive measures we can take. Never fear, help is on the way!

What is Kaiji?

According to the researchers at Intezer Labs, the Kaiji malware has been abusing systems to carry out Distributed Denial of Service (DDoS) attacks and is very different from other IoT malware strains.

Like other IoT malware, Kaiji is not written in C or C++ languages, but is coded in the Go programming language.

Intezer Labs’ researchers also discovered that Kaiji botnet was created from the scratch using the Golang or Go programming languages, unlike the other cases where most of the botnets were coded by using existing source code, such as in the case of Mirai, or by utilizing illegitimate tool sets that are available in the black market.

How does Kaiji work?

According to Boris Cipot, a senior cybersecurity engineer at Synopsys, Kaiji spreads by finding exposed SSH ports on Linux servers and IoT devices on the internet. It tries to get root access to such devices with a brute-force attack.

Cipot added that once Kaiji malware gains root access to one device, it starts spreading to other devices. “It will also collect all SSH keys of other devices that are managed, or were managed, by this root user and infect them as well. Kaiji is then manipulated to perform DDoS (Distributed Denial of Service) attacks on the issuer’s targets,” he says.

No sooner than the SSH connection is established than a bash script is executed to set up the environment for Kaiji malware. It creates a /usr/bin/lib directory to install itself under the filename “netstat,” “ls,” “ps” or another system tool name.

After the execution, Kaiji copies itself to /tmp/seeintlog and carries out numerous malicious operations, such as registering the newly compromised server to one of the command servers and decrypting the Command and Control (C&C) channel addresses.

Lastly, the Kaiji botnet fetches commands from a C&C server with instructions for particular DDoS attacks. After that, this malware launches various attacks, including SYN, UDP, TCP, IP spoofing and ACK flood attack capabilities.

Kaiji malware exploits vulnerabilities of IT devices. Many of today’s IT devices available on the market have misconfigured security settings and exposed communication ports with even preset or hardcoded usernames and passwords. Many back-end servers are also hackable.

How can you prevent Kaiji malware?

• According to Adam Palmer, a chief security strategist at Tenable, “Where possible, updates should be pushed to patch flaws and prevent this unwilling army of IoT rising up and doing their attacker’s bidding."
• Enterprises should employ efficient security tools to scan and secure containers and container hosts, management stack and networking environment
• Use authentication control systems such as two-factor authentication or multi-factor authentication to prevent penetration
• Employ the Intrusion Prevention System (IPS) or/and Intrusion Detection System (IDS) and web filtering tools
• Use robust lightweight cryptography for IoT
• Use IoT computational and cognitive security
• Detect the Kaiji botnet early by monitoring network traffic. When traffic hits your normal limit, set rate limiting; doing so enables a server to accept only requests that it can handle
• Utilize a Content Distribution Network (CDN) that allows you to store data on multiple servers. Doing so stops DDoS attacks from overloading the hosting server because a user can access data from other servers that are possibly not under attack

The bottom line

Kaiji is one of the variants of two existing Linux OS botnet malware types — known as XORDDoS malware — that targeted exposed Docker servers. This paves the way for DDoS attacks that can disrupt, disable or shut down a service website, or a network. Kaiji also compromises IoT devices. The origin of this malware is China and it is written in the Golang or Go programming language. 

Kaiji can be prevented by patching security flaws, using IPS and IDS, using robust lightweight cryptography for IoT, utilizing CDN and so on.

 

Sources

1. Kaiji malware spawns ‘army’ of Internet of Things devices after gaining root access, SC Media (Security Magazine UK)
2. XORDDoS, Kaiji Botnet Malware Variants Target Exposed Docker Servers, Trend Micro
3. What is a distributed denial of service attack (DDoS) and what can you do about them?, Norton
4. Kaiji – a new strain of IoT malware seizing control and launching DDoS attacks, Bitdefender BOX
5. New Kaiji Botnet Targets IoT, Linux Devices, Threat Post
6. Kaiji Botnet Targets Linux Servers, IoT Devices, Bank Info Security
7. Docker Servers Infected With DDoS Malware - XORDDoS, Kaiji Variants, Cyware
8. What is a DDoS Attack and How to Prevent One in 2020, Safety Detectives