New Malware Strain, Kaiji, Abuses IoT for DDoS Attacks


Over recent years, cybersecurity professionals have read so many headlines about the Mirai botnet malware and its derivatives that it’s sometimes easy to overlook the facts that 1) there are already other botnet malware strains such as BASHLITE and Luabot, and 2) that cybercriminals are capable of creating new types of malware. Then along comes Kaiji, which was recently discovered by security researchers from Intezer Labs and an individual researcher named MalwareMustDie. According to Intezer Labs, “The botnet was built from scratch using the Golang programming language, which is rare in the IoT botnet landscape.”

The use of Golang itself doesn’t necessarily make the attacks any more potent, but it may well make it’s reuse and repurposing easier for other cybercriminals.  As it currently stands, Kaiji is designed to target Linux-based servers and IoT devices to launch damaging Distributed Denial of Service (DDoS) attacks. Intezer further reported: “Kaiji spreads exclusively via SSH brute forcing by targeting the root user only. Accessing root is important to its operation, since some DDoS attacks are only available via crafting custom network packets. In Linux, custom network packets are only given to a privileged user such as root.”

Kaiji malware is another example of how cyber criminals are finding new ways to leverage the fast-growing pool of available Internet of Things (IoT) devices. For those who may be unfamiliar with botnets, they can be applied to launch a variety of attacks, including ransomware and spam email campaigns, as well as DDoS attacks. Unfortunately, because many IoT devices are built with weak security architectures, malware can often just use telnet to access those that are still using their factory default username and password, then easily recruit the device into a botnet. In this way, the malware has the opportunity to infect tens of thousands of such devices and coordinate them to mount DDOS attacks against specific victims. End-users of IoT devices should always change the device user name and password, to prevent them from being so easily harnessed into a botnet. Nonetheless, even after securing their own IoT devices, organizations aren’t safe from attacks sourced from botnets created using the devices of others.

What does this mean for DDoS Protection?

This new botnet malware is a reminder that the DDoS attack landscape is continually evolving. And, there is no reason to believe that the Kaiji malware will not be unleashed on the Dark Web where other black hat hackers can develop more potent versions of it. To avoid any impact from such threats, organizations should deploy a DDoS solution that can detect and mitigate all types of attacks, automatically, and in real-time. Corero’s SmartWall® Solution, for example, includes real-time automatic protections against the many types of DDoS attack vectors used by botnets such as Kaiji, with efficacy that is continually enhanced based on the in-depth experience of Corero’s Security Operations Center (SOC) team, who monitor and analyze large numbers of DDoS attacks on a daily basis.

For over a decade, Corero has been providing state-of-the-art, highly-effective, real-time automatic DDoS protection solutions for enterprise, hosting and service provider customers around the world. Our SmartWall® DDoS mitigation solutions protect on-premise, cloud, virtual and hybrid environments. For more on Corero’s diverse deployment models, click here.  If you’d like to learn more, please contact us.

Sean Newman is VP Product Management, responsible for Corero’s product strategy. Sean brings over 25 years of experience in the security and networking industry, to guide Corero’s growing leadership in the real-time DDoS protection market. Prior to joining Corero, Sean’s previous roles include network security Global Product Manager for Cisco, who he joined as part of their acquisition of cyber-security vendor Sourcefire, where he was Security Evangelist and Field Product Manager for EMEA. Prior to that he was Senior Product Manager for endpoint and network security vendor Sophos, after having spent more than 12 years as an Engineer, Engineering Manager and then Senior Product Manager for network infrastructure manufacturer 3Com.