Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com)

Posted by msmash on Monday October 3, 2016 @04:00AM from the security-woes dept.

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

2 of 117 comments (clear)

Min score:

Reason:

Sort:

Re: Oh great by mlw4428 · 2016-10-03 04:46 · Score: 4, Interesting

That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.
Burn it to the ground by GrumpySteen · 2016-10-03 04:47 · Score: 4, Interesting

Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.