Slashdot Mirror

← Back to Stories (view on slashdot.org)

Krebs Warns Source Code Leaked From Massive IoT Botnet Attack (krebsonsecurity.com)

Posted by EditorDavid on from the telnet-botnet dept.

Remember that historically massive denial-of-service attack last month against security researcher Brian Krebs? The source code's just been leaked, Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices." An anonymous Slashdot reader quotes KrebsOnSecurity: The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them -- thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot...

The user who leaked the source code says "there's lots of eyes looking at IOT now... I usually pull max 380K bots from telnet alone. However, after the Krebs DDoS, ISPs been slowly shutting down and cleaning up their act. Today, max pull is about 300K bots, and dropping"...
Now that the source code has been released online for that 620-Gbps attack, Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems." He points out that 5.5 million new things get connected to the internet each day, according to Gartner. And they're also predicting that 6.4 billion things will be connected to the internet by the end of the year -- reaching 20.8 billion over the next four years.

39 of 69 comments (clear)

  1. Throw away economics? by Anonymous Coward · · Score: 1

    The throw-away hardware market gave way to the throw-away software (APPS!) market... is this the result?

    1. Re:Throw away economics? by Opportunist · · Score: 2

      This is more a result of people wanting the latest gadget with the most gimmicks, ignoring security or whether they actually need those gimmicks. This of course leads to manufacturers stuffing more and more gimmicks into their toys, and with the rule that the first to the market makes the buck, security is simply ignored, since the customer does not give a shit about it.

      It's simply market economics at work.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re: Throw away economics? by Anonymous Coward · · Score: 1

      As modern app appers know....

    3. Re:Throw away economics? by AmiMoJo · · Score: 1

      When people buy tech like this they buy the cheapest option. Why pay more for the same functionality? Security is a secondary consideration.

      I like the idea of ISPs scanning for these vulnerabilities and auto-blocking accounts that become infected until the owner contacts them.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Throw away economics? by Opportunist · · Score: 1

      What I don't like about this option is what will immediately follow: "If you can scan for bots, you can scan for torrents".

      In the end, we'll get something like that. And this is why we can't have nice things.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Throw away economics? by RockDoctor · · Score: 1

      When people buy tech like this they buy the cheapest option. Why pay more for the same functionality? Security is a secondary consideration.

      "Security" rates as highly as that? What an optimist you are.

      --
      Birds are not dinosaur descendants;birds are dinosaurs, for all useful meanings of "birds", "are" and "dinosaurs"
  2. Overly optimistic by TroII · · Score: 4, Funny

    Krebs predicts "there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems."

    Yeah, I doubt it.

    Customer: My internet is slow.
    Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
    Customer: Yes, my internet is still slow.
    Comcast: Let me to be sending the signal to your modem!
    Customer: Didn't do anything, my internet is still slow.
    Comcast: I'm knowing how frustrating that is because I'm being a Comcast customer too! Did you rebooting your modem?
    Customer: Yes, 5 minutes ago while I was talking to you! My internet is still slow.
    Comcast: Let me to be sending the signal to your modem!

    --
    "If there was a gay Afro-Puertorican Linux distribution, I'd give it a try" ~lucm
    1. Re:Overly optimistic by Anonymous Coward · · Score: 3, Informative

      Used to work for 2Wire many years ago. Took transfers from outsourced SBC L1 techs. Unlike most, I don't blame them for being insanely inept at their jobs. They're hired to follow a script, not be technicians. Probing for info before the transfer often went like this:

      Me: "Did you try pinging the router?"
      L1: "...I was not able to do that."
      Me: "Ok, is there something wrong? How come you were unable to ping it?"
      L1: "...I was not able to do that."

      I get similar from my cable ISP from non-outsourced support if I call during the day. At night, I assume they have to staff the competent people as there are no others around to fix things. I can say "my modem doesn't sync" without being asked to reboot my computer.

      Sorry, off topic. AC anyhow so unlikely to be seen. :)

  3. DDoS by ledow · · Score: 2

    No problem.

    My old ISP used to detect SMB port access. If they witnessed any - i.e. your connection was opening your file shares to the world - they would block your web and replace every page with a notice until you signed a document stating that you intended to do this. I think you needed customer number so not something that the kids could just press okay on for you.

    At that point, they would open up the port again, or - if you'd fixed the problem and they detected that - they'd check once an hour and take the block off.

    Force ISPs to do the same for when they detect spam email, or botnet-contribution, etc. Then when they detect it again after they'd signed, you can just kick them off for AUP violation.

    But easier - just charge people by the byte. That's what'll end up happening. And most people won't even know or care that they're sending gigabytes to some poor sod's website.

    1. Re:DDoS by Doke · · Score: 1

      The problem is from amplification attacks. A sends a dns query (or something) packet to B, but forges a source address of C. B sends a much larger response to C. C blames B. B's internet fee goes up. Both B and C are victims. The correct solution is BPC38, "http://www.bcp38.info/index.php/Main_Page". Unfortunately, a lot of (IMO shady) network operators don't implement restrictions on their clients forging source ip addresses. They might be accepting payment to allow this abuse, they might be incompetent, or they might just be lazy. The excuse that it cost too much to upgrade their gear is no longer relevant. All routers have had the cpu to do that for years.

    2. Re:DDoS by davecb · · Score: 1

      In various countries, ISPs are reluctant to block spam from their customers, or even tell the customers that they have an virus, for fear the customer will sue them. In Canada (right next to the US) we were advised to do nothing, as one litigatious customer could ruin your whole year (;-))

      --
      davecb@spamcop.net
  4. It's not "cleaning up", it's competition by Opportunist · · Score: 3, Interesting

    The reason you can't simply get as many bots isn't that ISPs start finding out that they have a responsibility. It's simply that more players are fighting over the bots.

    Next step is probably botters hacking devices and changing the passwords so other bot herders can't use them. It's the usual game: A resource is only valuable if the other one does NOT have it.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  5. Good! by dromgodis · · Score: 2

    Am I thinking wrong, or isn't this potentially a good thing? The more DOS:ers fighting for the same bots, the fewer of them will be able to hit each site. Thus they won't really be effective any longer.

    1. Re:Good! by arglebargle_xiv · · Score: 1

      It's more of a nothing thing at the moment, this freely-available source code doesn't seem to be available anywhere. I was curious to see what the code was like, but it's not available anywhere I can see...

  6. "Mirai" by SeaFox · · Score: 2

    Krebs reports, "virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices."

    A frightening "future" indeed.

    1. Re:"Mirai" by jargonburn · · Score: 1

      Ha, nice! I wasn't actually thinking about what the name meant.

  7. Have the actual IoT devices been identified? by slincolne · · Score: 3, Interesting
    Has anyone seen any lists of the devices that are being compromised?

    It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).

    Maybe all the ISP's should grab a copy of the code and use it for scanning for vulnerable client devices and tell their customers to disconnect them before the ISP does it for them.

    1. Re:Have the actual IoT devices been identified? by gbjbaanb · · Score: 2

      probably all of them, sooner or later. The IoT software built into nearly everything will be done as a marketing gimmick more than anything, with both cost and ease-of-usage kept down as low as possible meaning security will be non-existent, or if it is present will be so dumbed down to make it work out-of-the-box without any configuration.

    2. Re:Have the actual IoT devices been identified? by Fnord666 · · Score: 1

      It would be really handy to know what devices are actually at risk, so that people can tell if they need to take action. It sounds like whatever these devices are, they have somehow been exposed to the Internet (didn't we all disable UPNP years ago).

      I haven't seen the source code yet, but here is an interesting article that discusses at least some of the participants.

      --
      'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
  8. Auto-Disonnect by ISPs? by BoRegardless · · Score: 1

    When is the whole www going to implement a system to disconnect items on the last leg of an internet connection when misbehavior occurs?

    If 100 users get disconnected and 99 all pounce on the guy responsible for having a Bot-IOT device.

    At least I can dream.

    1. Re:Auto-Disonnect by ISPs? by Zontar+The+Mindless · · Score: 2

      What's "misbehaviour"?

      --
      Il n'y a pas de Planet B.
  9. time to brick them? by Gravis+Zero · · Score: 3, Interesting

    So is it time for people to start bricking every unsecured IoT device or what?

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:time to brick them? by BoRegardless · · Score: 1

      VERY Interesting: If an automated BOT went around and commandeered unsecured IOT devices and simply destroyed them, that would solve one problem. People would quickly learn to secure their IOT devices.

    2. Re:time to brick them? by dargaud · · Score: 1

      I think most IOT is hard to brick: if you reboot it it just restart in default mode as there's no writable filesystem (only a ramdisk) and only a few bytes where to save config information. So you are back to square one with a device still ripe open and ready for the ownage.

      --
      Non-Linux Penguins ?
    3. Re:time to brick them? by Doke · · Score: 1

      Then get sued... :-(

  10. BCP38 by mars-nl · · Score: 3, Interesting

    Wouldn't most if not all DDoS attacks be much harder if ISPs implemented BCP38? Of course IoT devices should be secure, but this is a dream as software will always contain bugs. The number of ISPs is much smaller than the number of devices connected to the internet, so blocking spoofed IP traffic is much cheaper solution.

    1. Re:BCP38 by ShaunC · · Score: 2

      Some of the traditional attacks (DNS/NTP reflection and amplification) would be mitigated but it's not likely to help with these IoT DDoSes. When you can control 300,000 pwned devices, you don't need to spoof any traffic.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:BCP38 by I4ko · · Score: 1

      In my case I have a set of rules on my router - you send me a packet I don't expect - blacklisted for 1 hour.
      You send me another packet - add another hour to your blacklist time. I have a few IP cameras - they are allowed to connect only to my internal DNS and to my external ftp server. All connections to them, and outbound from them to places I have not explicitly allowed are dropped silently.
      Same for NAS-es as well - no, you can't use UPNP, you can't phone home to mama(facturer), and you most certainly can't get any connection from the outside world. The WD devices are horrible and next to be hacked - they open an openvpn connection and drop untrusted traffic right in your network.. clickety click - no more traffic.

    3. Re:BCP38 by Doke · · Score: 1

      Regrettably, this is true. Krebs said his Akamai protection got hit primarly by GRE packets straight from the botted device. Very little of the DDOS was from amplification.

  11. You don't want this. by waspleg · · Score: 1

    Slippery slope. Very slippery. Oh look the ??AA just lobbied to get torrents listed as malware traffic legally and now ISPs are required to go around policing which is what the shit lord copyright trolls have always wanted.

  12. He got Slashdotted ! by Laxator2 · · Score: 1

    In the past this used to be a good thing indeed,
    but by now everyone seems to have forgotten the Slashdot Effect:

    https://en.wikipedia.org/wiki/...

    I am getting old ...

  13. Re:Three Pronged Attack by jabuzz · · Score: 1

    I would just go for 1 and for the really bad things like backdoor accounts, fixed known default passwords etc. Then make the fines repeat at double the rate every say three months if they don't fix it.

    At least that way one should in the future be able to buy from big name vendors and have a hope that they are reasonably secure.

  14. How to protect myself? by ripvlan · · Score: 2

    I've been trying to get more info on this IoT unsecure thing and understand what these devices are. One thing that confuses me is that - aren't these things installed (mostly) in Residential Homes? which would be behind a "firewall" router that (usually) uses NAT?

    The reason I ask this - how do I protect myself if I place such a device in my home? Are these pwned devices on the open network --- or can they be attacked through NAT? My "smart" TV, Bluray, Amazon TV, Apple TV, Raspberry Pi, Sonos, etc are all on the network. I have a NAT w/ uPNP disabled (prevent holes from being poked). Sure I understand there are ways through NAT....but these IoT attacks seem to "telnet" directly to the device without any special layers.

    Beyond basic NAT/uPNP --- what else do I need to know?

    Thanks!

    1. Re: How to protect myself? by mbeckman · · Score: 2

      uPNP is the culprit in most cases. It lets IOT devices unilaterally open holes in firewalls. The thing is, there is no reason to do so, as IoT devices should only need to "phone home", which doesn't require inbound access. The second vector is viruses that invade a home user's desktop computer, and then scan for, and infect, IoT devices. This is much harder to protect against, as ISPs can't scan through the firewall. What would be helpful is a downloadable tool to let users run their own IoT vulnerability assessment. I notice that commercial tools, such as Nessus, still haven't woken up to this threat.

    2. Re:How to protect myself? by Doke · · Score: 1

      Most consumer grade gateways are designed for less technical users. To reduce support calls, they have UPNP turned on by default. These days, they usually have an option to turn it off, probably down in an "advanced" page of the WUI. However, they very seldom have options to limit it to specific internal devices. Many of the online games require open network ports, and use UPNP to obtain them. Technical users can manually set up the port forwarding for a game console, by assigning it a fixed ip, and passing the required ports. However, the majority of users can't do that, or are too lazy. The few users who turn UPNP off, often end up turning it back on to get the games to work correctly. At that point, all of the IoT devices can create their telnet backdoor UPNP exceptions too.

      Another method is a downloaded trojan on a PC, that infects IoT thing on the local network.

  15. Re:Three Pronged Attack by Doke · · Score: 1

    Unfortunately, by the time the FTC or FCC got the fine through appeals, the bad device would have been on the market for 10 years. By then the sub-company created to market that device would no longer exist. It also would not eliminate the bad devices already out there.

  16. Re:Which Devices? by Doke · · Score: 1

    I've heard that mentioning specific vendors and models can get a security researcher sued. These days, you need to either post the list of weak devices anonymously, or consult a lawyer about responsible disclosure.

  17. Re:Three Pronged Attack by Archangel+Michael · · Score: 1

    1) Defeated by bankruptcy
    2) Defeated by lobbying
    3) Blood from turnips. Good luck with that.

    Good luck with that. The problem is, these types of events are easily solvable, except the part where solving it requires cooperation. The whole "That's Not My Problem" response by just about everyone.The problem is, it is everyone's problem because just about everyone contributes to it. There is one almost IoT device for every person on earth already.

    The biggest problem with IoT devices is that they are mostly replacing devices that are infrastructure (long lasting) devices that don't have to be updated, upgraded or patched, so nobody is thinking about the long term consequences of having to replace that thermostat every 3 years because it has expired support. I suspect that once you include the regular cost of replacing said device every couple years, the novelty of having a "smart thermostat" will wear off and the smart people will go back to regular unplugged thermostat, because the inconvenience of long term support isn't worth the convenience of having your heating and cooling by remote control.

    The smart apps on my TV are useless.
    Your thermostat has been hacked.
    IMHO the IoT is a bust already, and it hasn't even got off the ground yet.

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
  18. Re:What I'd like to see by Archangel+Michael · · Score: 1

    You'd be dead too. ;)

    --
    Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.