Distributed Denial of Service (DDoS) attacks make news headlines for a number of reasons, mostly due to how they show the might of hackers in denying users a service at a whim. Whether it is government infrastructure or gamers who need to get in there hours, hackers conducting DDoS attacks can ruin anybody’s plans. While the results of these attacks are headline-generating by themselves the malware and its creation that facilitate the attack don’t get the same amount of attention. Hence why on May 3, 2020, an announcement on Twitter announcing the discovery of a new piece of malware might have gone unnoticed by the majority of Twitter’s population.
A security researcher going by the Twitter handle of MalwareMustDie announced that a new malware, named Linux/Kaiji, seemed to be making the rounds which was coded in Go and appeared to be developed somewhere in China would be of interest to the InfoSec community. If the malware is used in massive operations then it is most likely to make the headlines its developer intends. Subsequent analysis by security firm Intezer reveals that the malware has been built from scratch which in itself is quite rare with many malware developers starting development off of publically released source code.
Further, coding DDoS malware from scratch would not seem necessary to many hackers as the nature of such an attack is that they are easily detected due to the overt results intended by such an attack. Due to this investing in custom code and tools is not readily done, rather it is deemed sufficient to rely on previously developed code, like Mirai, for example, do get the job done.
“Overall, this research exercise proved to be enlightening to me personally for a number of reasons. While certain preconceived notions around the prevalence of pentesting-related Go malware were indeed confirmed, there was also a wealth of different true malware families present. These malware families ranged from backdoors to botnets to banking Trojans. The overall low number of malware samples identified also was an interesting data point, showing that generally speaking, Go malware still has not gained a significant interest from malware developers. However, the timelines of the identified malware sample’s first seen timestamps indicate that Go malware is gaining popularity. Looking at the specific timeframe of January to March between 2017 to 2019, we see a significant rise where the number of identified malware samples rose by a factor of almost 20 (+1944%)."
Go malware is still in its infancy. However, it is gaining the attention of both malware developers as well as the security community in general, as new malware families are discovered and published frequently. Because the developers may compile a single code base against all major operating systems, it is my belief that Go will constitute a much larger market share of developed malware in the years to come, and should be on the security community’s proverbial radar.
SSH Brute Forcing
According to researchers Kaiji has already been seen in the wild, slowly spreading and infecting devices to create a large and robust botnet. Unlike other DDoS malware that uses known exploits and vulnerabilities to spread and infect targeted devices, Kaiji relies solely on brute-forcing its way into IoT devices and Linux Servers in order to spread. Kaiji uses a tactic known as a brute force SSH attack which is by known means a new tactic. Some researchers believe the earliest attacks using this tactic may have occurred over 15 years ago. Central to the tactic is the targeting of an SSH server that are typically used to transfer data between two computers over an untrusted network. The brute force attack involves injecting numerous password and username credentials into login attempts to order to find the correct one which grants them access to the SSH server protocol which in turn grants the attacker administrative privileges that allow the attacker to execute malicious code.
In the case of Kaiji, only the “root” or initial account is targeted. This is because the malware needs root access to infected devices in order to manipulate raw network packets for the DDoS attacks they want to carry out, and the other operations they want to carry out. Once it gains access to a device's root account, Kaiji will use the device in three ways. First, for DDoS attacks. Second, to carry out more SSH brute-force attacks against other devices. Third, it steals any local SSH keys and spreads to other devices the root account has managed in the past.
Still Under Development
Kaiji activity was first detected in April 2020 by researchers at Intezer and since then six different DDoS campaigns have been conducted by the malware’s author. Despite this, the malware appears to still be under development. When compared to more established botnets the code lacks a number of features its rivals have. Certain strings in the code contained the word “demo” indicating that it was complete. Further, the code itself upon executing would call itself a number of times. This went beyond the point of being unnecessary and would actually cause the malware to exhaust the device's memory and crash, a goal botnet malware authors want to avoid at all cost as many of them don’t persist after a crash or device restart. The last indicator that the malware is still under development is that the command and control server would often go offline leaving botnets instruction less and liable to be hijacked by another competing botnet.
When the discovery was initially announced MalwareMustDie believed the malware author to be a Chinese malware author. This view is shared by Intezer researchers, with their report stating,
“There exist 13 central goroutines which are important for the implant’s operation. Many of these functions are named in an English representation of Chinese words. We have highlighted the most interesting functions and added a translation from Chinese to relevant functions:
main_rundingshi (漢字: run timing): Install persistence through crontab
main_runganran (漢字: run infection): Another persistence technique, backdoor the SSH init script /etc/init.d/ssh to call the rootkit on startup
main_runshouhu (漢字: run surgery): Copy the rootkit to /etc/32679 and run it every 30 seconds
main_runkaiji (漢字: run boot): Install more persistence init.d files, e.g.: /etc/init.d/boot.local”
Despite the malware still being in apparent development both Intezer and MalwareMustDie will continue to monitor the malware’s evolution. Kaiji also seems to highlight further the current trend of botnets in that they are becoming smaller. In the past it was almost a race by botnet operators to see how many devices they could infect in order to create supermassive botnets, in some instances over 500,000. The modern-day botnet ecosystem now only really sees large and successful botnets topping out 16,000 infected devices. The botnet ecosystem itself has become a place of intense competition which is one of the reasons the ecosystem has become so fragmented as competition for devices is fierce.
The likelihood of the world seeing botnets top the hundreds of thousands is unlikely but then again stranger things do happen. Kaiji appears to have been developed primarily with DDoS attacks in mind. The threat posed by botnets does not end there, in the past botnets have been seen distributing other malware types including ransomware and banking trojans. While Kaiji is still in its infancy and not been actively used in major campaigns the threat posed by the malware in the future. Intezer concluded that concerning Kaiji and other GoLang malware,
“It is rare to see a botnet written from scratch, considering the tools readily available to attackers in black market forums and open source projects. In this post, we have uncovered a new DDoS operation in its early stages that was written from scratch. This is another confirmation of an interesting trajectory noted by vendors such as Palo Alto that malware developers are turning to modern languages such as Golang for their operations.”