Krebs Warns Source Code Leaked From Massive IoT Botnet Attack

Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity: The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...

The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.

It's not "cleaning up", it's competition

[Opportunist]

The reason you can't simply get as many bots isn't that ISPs start finding out that they have a responsibility. It's simply that more players are fighting over the bots.

Next step is probably botters hacking devices and changing the passwords so other bot herders can't use them. It's the usual game: A resource is only valuable if the other one does NOT have it.

Have the actual IoT devices been identified?

[slincolne]

Has anyone seen any lists of the devices that are being compromised?

It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).

Maybe all the ISP's should grab a copy of the code and use it for scanning for vulnerable client devices and tell their customers to disconnect them before the ISP does it for them.

time to brick them?

[Gravis+Zero]

So is it time for people to start bricking every unsecured IoT device or what?

BCP38

[mars-nl]

Wouldn't most if not all DDoS attacks be much harder if ISPs implemented BCP38? Of course IoT devices should be secure, but this is a dream as software will always contain bugs. The number of ISPs is much smaller than the number of devices connected to the internet, so blocking spoofed IP traffic is much cheaper solution.