ESET Discovers Return of Stronger Kaiten Malware

Next story

Multiple versions of Linux/Remaiten malware uncovered with new, spreading mechanism

SAN DIEGO-- ESET®, a global pioneer in proactive protection for more than two decades, today announced the return of Kaiten, an Internet Relay Chat (IRC)-controlled malware typically used to carry out distributed denial-of-service (DDoS) attacks. ESET researchers have identified three new, stronger versions of the malware -which they dubbed Linux/Remaiten.

The main feature of the malware- which its authors named "KTN Remastered“ or “KTN-RM“ - is an improved spreading mechanism. Based primarily on Linux/Gafgyt’s telnet scanning, KTN-RM improves on the spreading mechanism by carrying downloader executable binaries for embedded platforms such as routers and other connected devices.

When instructed to perform telnet scanning, the malware tries to connect to random public IP addresses. If the connection succeeds, it will try to guess the login credentials. If the malware successfully logs in, it will issue a shell command to download bot executable files for multiple system architectures and try to run them.

“This is a simple but noisy way of ensuring that the new victim gets infected, because it is likely that one of the binaries is for the current platform,” said Michal Malík, ESET Malware Researcher. “It targets mainly those with weak login credentials.”

As seen in Linux/Moose, when the malware is executed, it also creates another bot for the malicious operators to use. This strain of malware also has a message for those who might try to neutralize its threat.

“Within the welcome message, version 2.0 seems to single out which has published extensive details about Gafgyt, Tsunami and other members of this family of Malware,” said Malík.

Additional details about the Linux/Remaiten Bot can be found in a technical article by Michal Malik on ESET’s official security blog,


About ESET:

Since 1987, ESET® has been developing award-winning security software that now helps over 100 million users to Enjoy Safer Technology. Its broad security product portfolio covers all popular platforms and provides businesses and consumers around the world with the perfect balance of performance and proactive protection. The company has a global sales network covering 180 countries, and regional offices in Bratislava, San Diego, Singapore and Buenos Aires. For more information visit or follow us on LinkedIn, Facebook and Twitter.