Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

Oh great

[JustAnotherOldGuy]

Oh great, now every dickweasel and conehead in the world will be cranking out malware.

Re: Oh great

[mlw4428]

That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

Re: Oh great

[arth1]

Right now I can purchase an IoT appliance that controls my lawn sprinklers for about $250 that adjusts the water output based on the weather in the area.

Your proposal would probably make that same IoT appliance cost around $250,000. No sane person would ever spend that much money on a device that controls a sprinkler system since that appliance would never pay for itself.

Well, good. You shouldn't be wasting water on lawns anyhow.

Re: Oh great

[naughtynaughty]

Almost all manufactures ship devices with default username and passwords

Changing them is your responsibility

Re: Oh great

[Macdude]

Almost all manufactures ship devices with default username and passwords
Changing them is your responsibility

The device should require the username and password be changed before it will function.

Re:Headline translation

[The-Ixian]

I fully expect that we are facing nothing less than total apocalypse

This is the end people!

Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

Duplicate story

[eledill]

This is a duplicate of http://m.slashdot.org/story/31...

Re:Duplicate story

[xxxJonBoyxxx]

Half the editors were too busy fending off a DDOS attack to read their own site. The other half still use a username/password of "admin/admin123" on their home devices and couldn't read their own site because their equipment was currently part of a global botnet.

More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.

root xc3511, root vizxv, root admin, admin admin ,root 888888
root xmhdipc, root default ,root juantech ,root 123456, root 54321, support support
root (none) ,admin password ,root root ,root 12345 ,user user ,admin (none)
root pass ,admin admin1234 ,root 1111 ,admin smcadmin ,admin 1111 ,root 666666
root password ,root 1234 ,root klv123 ,service service, supervisor supervisor ,guest guest
guest 12345, , guest 12345, admin1 password ,administrator 1234 ,666666 666666 ,888888 888888
ubnt ubnt ,root klv1234 ,root Zte521 ,root hi3518 ,root jvbzd ,root anko ,root zlxx. ,root 7ujMko0vizxv ,root 7ujMko0admin
root system ,root ikwb ,root dreambox ,root user ,root realtek ,root 00000000 ,admin 1111111
admin 1234 ,admin 12345 ,admin 54321 ,admin 123456 ,admin 7ujMko0admin ,admin 1234 ,admin pass
admin meinsm ,tech tech ,mother fucker

Re:Good

[Moof123]

Most of these are not on any administrated system. These are baby monitors, home security cameras, "smart" toasters, and similar junk. We are selling piles of internet connected junk to the masses, but with no responsibility for anyone to make them secure after the fact. It is in fact getting harder to find widgets that are NOT internet connected just for the sake of being able to label it "smart".

Smart toilet paper that tells you when the roll is about empty and automatically re-orders from Amazon will be the next BIG thing!!!

The hassles with just getting all the connected crap in a typical house to work are too much, getting random fly-by-night electronic gizmo's to be secure against state sponsored hackers with nearly unlimited resources? Fugetaboutit...

Make the systems appear crappy?

[Okian+Warrior]

Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

Apparently power cycling the IoT device will reset it to normal, whereupon it can be reinfected.

Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

The owners would have to keep power-cycling the devices, they'd get pissed at the manufacturers for making a poor product, and maybe they'd replace the devices with newer ones.

This should be simple to do, much less effort than making the code try to contact the owner with "hey - change your password" and such.

Would just making the products appear crappy work?

Burn it to the ground

[GrumpySteen]

Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

Re:Burn it to the ground

[rhazz]

And their new products will also tank. Soon the majority of people will stop buying from random vendors and only buy from reputed ones who have proven products.

The real problem is how authorities are likely to react to someone breaking these devices. Breaking every hackable IoT device out there is likely to cause much more consumer backlash than the occasional DDOS does. I bet the authorities would expend more against the person breaking the devices than the ones using them in the botnets.

Re:Well, that's going to suck

[naughtynaughty]

Their security was fine, as long as you changed the default password.

Devices really do need a recovery mechanism from someone losing their password and a hard reset back to a default is fine with me.

That people buy a security camera and then leave it with its default password is the problem.

Re:Headline translation

[JustAnotherOldGuy]

Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

Re:Headline translation

[St.Creed]

Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

Hell yeah. In our first tests after the bugs were fixed, literally NOTHING worked. They had forgotten to patch the login module and every password valid date was now suddenly in the past. 50 testers went home again that day, after an hour, on a saturday. Much grumbling ensued.

But... you know, at some point noone who was present at Y2K will be alive, but the people who denied that there ever was a problem will still be in abundant supply. It's saddening to see that if you just deny something happened, no matter what it is and no matter the documentation and witnesses, eventually sheer stupidity and mental inertia will bring you victory. Fighting entropy is *hard*.