REINCARNA - Increasing Linux.Wifatch infected devices
REINCARNA is malware targeted to infect IoT devices having weak password through Telnet channel. The malware was reported by Symantec security blog in 2015 October. By IoTPOT, we confirmed that more than 10,000 hosts were infected by this malware. As characteristics of REINCARNA, after infection, running service in infected device were stopped, password and Telnet banner of the infected device were changed as in Figure 1. As shown in the altered banner, this malware is described as a disinfection bot by its author and it indeeds prevents further infection of other malware by closing listened ports and changing the configuration of telnet service. However, it seems that its disinfection capability is limited as we still observe a lot of attacks coming from devices infected by this malware implying the failure of disinfection.
Figure 2 shows numbers of infected devices monitored by IoTPOT. Since 2015 October, as the host infected by this malware was highly increased, it became difficult to infer type of infected device by its banner.