A botnet named Rakos is going after Linux devices and could end up used in future attacks, researchers said.
Rakos, first discovered in December, goes after Linux systems by launching brute-force attacks via SSH.
The catch is, however, the compromised systems never ended up used in any kind of attack.
On the other hand, Morphus Labs deployed high interaction honeypots and they ended up targeted by Rakos. A closer analysis revealed the botnet garnered 8,300 devices per day across 178 countries, Renato Marinho of Morphus Labs said in a blog post.
Rakos consists of bots and command and control (C&C) servers. It is a peer-to-peer botnet so some infected machines may play both these roles, researchers said. Rakos bots obtain a list of IP addresses from a C&C server and attack those hosts via SSH. Each compromised device will in turn target other devices.
The botnet has been described as “transient” because its infection is not persistent after a reboot of the hacked device.
Brazil-based Morphus Labs researchers analyzed the botnet by using crawlers and by injecting fake nodes to act as sensors. Data collected over the course of 72 hours revealed the existence of just over 25,000 unique infected devices, or roughly 8,300 per day. This includes nearly 300 machines that served as C&C servers.
The country with the highest number of nodes was China (3,300), followed by Vietnam, Taiwan, Thailand, Russia, India, Brazil and the United States, which had just under 1,000 unique infections.
Experts showed more than 45 percent of the compromised devices were Raspberry Pis, followed by Open Embedded Linux Entertainment Center (OpenELEC) systems, which also typically run on Raspberry Pi. The third most targeted systems are wireless access points from Ubiquiti Networks.
“This individual problem that potentially leads to a global threat reminds us the difficult adoption of BCP 38 (Best Current Practices)  that specifies how Internet Services Provides (ISPs) could individually cooperate by configuring its routers to defeat DDoS amplification attacks over the Internet,” Marinho said. “The difference is that in password vulnerability problems we don’t have a guideline or an imposed rule; it involves much more devices and, especially, people.”
“It’s worth mentioning that during the 30 days we analyzed this botnet, we didn’t notice any malicious actions other them the SSH brute-force scanner itself,” Marinho said. “It seems that someone is preparing it to be sold or to offer ‘services’ using it when it gets in the right size.”