Slashdot Mirror

← Back to Stories (view on slashdot.org)

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.

5 of 117 comments (clear)

  1. Re:Duplicate story by xxxJonBoyxxx · · Score: 4, Informative

    Half the editors were too busy fending off a DDOS attack to read their own site. The other half still use a username/password of "admin/admin123" on their home devices and couldn't read their own site because their equipment was currently part of a global botnet.

    More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.

    root xc3511, root vizxv, root admin, admin admin ,root 888888
    root xmhdipc, root default ,root juantech ,root 123456, root 54321, support support
    root (none) ,admin password ,root root ,root 12345 ,user user ,admin (none)
    root pass ,admin admin1234 ,root 1111 ,admin smcadmin ,admin 1111 ,root 666666
    root password ,root 1234 ,root klv123 ,service service, supervisor supervisor ,guest guest
    guest 12345, , guest 12345, admin1 password ,administrator 1234 ,666666 666666 ,888888 888888
    ubnt ubnt ,root klv1234 ,root Zte521 ,root hi3518 ,root jvbzd ,root anko ,root zlxx. ,root 7ujMko0vizxv ,root 7ujMko0admin
    root system ,root ikwb ,root dreambox ,root user ,root realtek ,root 00000000 ,admin 1111111
    admin 1234 ,admin 12345 ,admin 54321 ,admin 123456 ,admin 7ujMko0admin ,admin 1234 ,admin pass
    admin meinsm ,tech tech ,mother fucker

  2. Re: Oh great by mlw4428 · · Score: 4, Interesting

    That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

    Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

    It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

  3. Burn it to the ground by GrumpySteen · · Score: 4, Interesting

    Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

  4. Re: Oh great by arth1 · · Score: 4, Funny

    Right now I can purchase an IoT appliance that controls my lawn sprinklers for about $250 that adjusts the water output based on the weather in the area.

    Your proposal would probably make that same IoT appliance cost around $250,000. No sane person would ever spend that much money on a device that controls a sprinkler system since that appliance would never pay for itself.

    Well, good. You shouldn't be wasting water on lawns anyhow.

  5. Re: Oh great by naughtynaughty · · Score: 4, Informative

    Almost all manufactures ship devices with default username and passwords

    Changing them is your responsibility