Slashdot Mirror

← Back to Stories (view on slashdot.org)

New, More-Powerful IoT Botnet Infects 3,500 Devices In 5 Days (arstechnica.com)

Posted by BeauHD on from the there's-a-new-sheriff-in-town dept.

An anonymous reader quotes a report from Ars Technica: There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices. Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6. The best-of-breed approach "is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected," a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. "To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news."

56 comments

  1. IoT needs to go away. by Mal-2 · · Score: 5, Insightful

    Whoever decided putting devices without sufficient resources to defend themselves, or be updated, directly onto the Internet was a good idea should have his professional certifications revoked and forbidden to administer anything more complicated than his own home network. And that home should probably be denied connectivity to the world.

    The IoT is not necessarily a bad idea in concept, but it has been implemented exceptionally poorly, and those devices that cannot be updated need to be disconnected forever, or at least hidden on their own private networks. Vendors who cannot or will not patch their devices should be compelled to recall them, as violations of Part 15 rules against causing harmful interference.

    --
    How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    1. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      So in effect then Apple got something right with the security they demand for their iHome gear.

    2. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      More specifically, embedded Linux needs to die off.

    3. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      "So in effect then Apple got something right with the security they demand for their iHome gear."
      Ayup.

      Further up,

      " And that home should probably be denied connectivity to the world."
      Another jerk who doesn't realize that there is _no_ way that Consumers could tell whether their shiny new Iot is vulnerable. Stop blaming Consumers for this massive Worldwide IT screwup.

      "Vendors who cannot or will not patch their devices should be compelled to recall them, as violations of Part 15 rules against causing harmful interference."
      And just what part of Part 15 applies to China, where this crap comes from, or the rest of the World, where it is rapidly being deployed? Short of a rapid Worldwide effort to either adapt the HomeKit protocols or something equivalent, this mess simply can't be fixed. So what if a few cheapskate Corporations fold in the process, we might as well just write off those Billions of Dollars, and Euros and Yen already spent, right now.

      Captcha: disclaim

    4. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      I agree IoT needs to go away, but so do non-stories about only 3500 IoT devices.

      Every day, that many IoT devices probably experience randomly flipped bits due to radiation. Given enough bit flips, they could spontaneously do bad things on their own. Let's talk about that instead!

      /. commenter #1: It's time for ECC!
      /. commenter #2: Fr1st ps0t.
      /. commenter #3: <insert political party> sucks!
      /. commenter #4: Something about OP's mom.

    5. Re:IoT needs to go away. by Mal-2 · · Score: 1

      The home of the person who decided to sell non-upgradeable devices and let them connect directly to the Internet is the only one I'm saying should be removed from it. Part 15 rules have their analogous components in most countries that regulate the RF spectrum (which is practically all of them), I just used the reference I know.

      If you want to connect your multi-color LED Christmas lights to the Internet, then you should be required to administer such a setup just as much as you would any other computer you hook up. The same is true of your thermostat. If the vendor does not allow the devices to be adequately secured, then you have no business connecting them to anything more than your own local network, and if they manage to jump past firewalls and affect the world at large, you should get disconnected until you fix it, just like everyone else who is part of a botnet should be.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    6. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      "Whoever decided putting devices without sufficient resources to defend themselves, or be updated..."

      Almost every IoT device has more power than an early 1990's home PC. Early 1990's home PCs had quite enough oomph to both run a software firewall and to apply software updates.

      If the software is correctly designed, it is a _really_ good security practice to make it difficult to field-upgrade the software. This prevents malicious actors from remotely subverting the device. (PC hardware devs should have a physical write-protect switch for all on-board firmware in the system for exactly this reason.)

      "...violations of Part 15 rules against causing harmful interference."

      This isn't radio. Part 15 of the FCC regs doesn't apply.

    7. Re:IoT needs to go away. by Anonymous Coward · · Score: 1

      I don't know that doesn't make sense. That would like suing a gun manufacturer for something a user did. These cheap crappy devices probably are fine as long as they are properly firewalled onto their own subnet. Isn't it the users fault for not properly securing the devices?

    8. Re:IoT needs to go away. by Mal-2 · · Score: 1

      If the FCC can regulate broadband, then they can regulate the devices getting attached to those connections to make sure they're not pulling shit like DDoS attacks. They can't tell you what the device is supposed to do, provided it isn't abusing the network itself, but certainly they should be able to prevent it from being a hazard to the world at large.

      --
      How is the Riemann zeta function like Trump rallies? Both have an endless number of trivial zeros.
    9. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      intartubez of tings is still a ting? humanity is stupid. and doomed. the really sad thing is the 99.9% that shouldnt be breeding to begin is ruining it for me.

    10. Re: IoT needs to go away. by Anonymous Coward · · Score: 0

      "And just what part of Part 15 applies to China, where this crap comes from, or the rest of the World, where it is rapidly being deployed? "

      The part where companies import that stuff. It should be caught by customs.

    11. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      I don't really understand why they are "directly" on the internet at all.

      Why aren't they on a phone-home system of some sort behind fairly normal home firewalls ?

      It seems harder to put them directly on the internet (at least in my home setup) than not to.

    12. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      Wow, because IoT are like guns. Oh wait, when poorly implemented, I guess now they are! But that's not the customer's fault, that's the fault of the vendors. These evil people have dumbed Down their users for profit, and now delivers insecure Products for profit. What is more likely, educate 100 vendors or tens of millions of customers?

      These Devices should be secure by default.

    13. Re:IoT needs to go away. by arglebargle_xiv · · Score: 1

      should have his professional certifications revoked

      What professional certification? What sort of people do you think are designing and deploying this stuff, professionals?

    14. Re:IoT needs to go away. by Shane_Optima · · Score: 1

      More specifically, embedded Linux needs to die off.

      In favor of?

    15. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      Vendors who cannot or will not patch their devices should be compelled to recall them, as violations of Part 15 rules against causing harmful interference.

      That would be great, if we were all Americans.

      Fucking Americans. And idiots like you wonder why the world laughs at you.

    16. Re: IoT needs to go away. by ArmoredDragon · · Score: 1

      And how are we supposed to hold vendors accountable? Domestic ones you can, however there are very few domestic IoT vendors. Nonetheless, people are going to keep buying them without giving a damn what impact they have on anybody else. This is why you should hold the end user responsible, otherwise they can just get away with slapping the blame on a manufacturer that can never be reached, which means zero accountability.

      We do the same thing with cars, by the way. By putting your car on the road, you by default certify that it's in proper working order. If it's not (I.e. you don't maintain your brakes) then you're liable. Yes, you can claim damages from the manufacturer in some cases, but ultimately the buck stops at you.

    17. Re:IoT needs to go away. by Anonymous Coward · · Score: 0

      "If the FCC can regulate broadband..."

      Sure. I don't disagree with that (other to note that this would be a _really_ scary bridge to cross that's best left uncrossed).

      However, Internet-attached computers isn't radio. Part 15 of the FCC regs doesn't apply!

    18. Re:IoT needs to go away. by indi0144 · · Score: 1

      Well the things are not running windows so yeah, we all spect them to be properly set up by the friendly neckbeard we all know.
      Decades of millions of windows boxes owned and nothing happened but make popular some Linux-on-a-stick and the internets collapse. Good game.

  2. IoT by Anonymous Coward · · Score: 0

    And that, folks, is what IOT gets you

  3. As usual, the problem is Linux by Anonymous Coward · · Score: 0, Troll

    Notice that you don't see Windows 10 botnets causing these problems. It's always Linux.

  4. Re:Missing zeros ... by Anonymous Coward · · Score: 0

    Google "exponential growth" and come back after you've read up on it.

  5. Our nids system agrees by Anonymous Coward · · Score: 0

    I've noticed an enormous increase in telnet scans being performed on our networks recently. Infected devices are used to scan for more vulnerable devices to infect. If you telnet to the ip address of the probing device you will often find they are wireless routers or cameras and can be logged in with a default password. On ones with a ps command you can see what appears to be randomly named processes running. I think the blame can be shared between most device manufacturers and consumers for both having poor security practices.

  6. Time to brick the IoT by Noah+Haders · · Score: 3, Insightful

    We need a team of grey hats who weaponize these IoT security flaws. There's no way you can win the IoT security battle through publicity or conferences. I assure you the chinese crapola seller isn't going to issue a security patch.

    Instead, we need the grey hats to find these IoT flaws and then brick all IoT devices that they can find. Just make it a standing rule -- insecure IoT? Bricked! This would make many OEMs pay attention to security, and for those who still don't, at least their products will be off the web.

    Where can we enlist these hackers?

    1. Re:Time to brick the IoT by Anonymous Coward · · Score: 0

      Where can we enlist these hackers?

      Russia, obviously.

    2. Re:Time to brick the IoT by AHuxley · · Score: 1

      Using admin, admin or admin, password is a feature not a flaw.
      What is an insecure IoT to an isp? A user looking at their CCTV at work or in another country?
      "This would make many OEMs pay attention to security," is the key, get them at the app level. Get their brands off the phones, desktops and tablets.
      Get all AV brands to scan all devices on a network and report the junk by default. Not some hidden scan setting for "network".

      --
      Domestic spying is now "Benign Information Gathering"
    3. Re:Time to brick the IoT by Anonymous Coward · · Score: 1

      I agree with parent. If corporations aren't going to take responsibility for their creations once sold into the wild, then the law of 'survival of the fittest' needs to come into play. Once a few big companies get their entire lines of devices bricked due to being just unfit for survival in the open internet, they'll start to change their behaviour.

      This isn't unethical -- it's the most ethical thing people can do, in the long run. Make the big companies stare with open eyes at the elephant they've created in the room, so they *have* to address it.

    4. Re:Time to brick the IoT by AdamAnderson8866 · · Score: 1

      autoimmune response

    5. Re:Time to brick the IoT by LordWabbit2 · · Score: 1

      They don't have to be bricked, just have their logins changed so they are no longer a threat. The problem is that even just doing that is technically hacking and can land you in hot water if/when caught. Bricking them would just land you in more hot water.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    6. Re:Time to brick the IoT by Noah+Haders · · Score: 1

      Not sure what you mean by getting them at the app level. To be clear, I'm talking about breaking their IoT fridge so it no longer works and they have to buy another one. Next time, they'll buy a different brand!

    7. Re:Time to brick the IoT by Noah+Haders · · Score: 1

      the problem with your approach is that it lets the companies off the hook, and makes it so they don't need to pay any attention to security. the only thing that will wake them up is if their stuff breaks.

    8. Re:Time to brick the IoT by Anonymous Coward · · Score: 0

      >insecure IoT? Bricked! This would make many OEMs pay attention to security, and for those who still don't, at least their products will be off the web.

        Gonna fix this for you:
      This would make many consumers, regular Joes, families, and even tech-savvy people confused, mystified, and pissed off that vigilantes decided to met out justice whilst claiming to do it for our own good and then expect to be complimented for it.

      How about the companies keep getting embarrassed by events already seen in the news, and fix things on that alone? You say they're taking too long, and a fine squad of white hats should 'help' them out? Then blog, blog, blog, and complain or get a job there and be part of the fix-it team.

      Don't knock out the devices just because, technically, it can be done. Technically, I can also drive on the sidewalks to 'help' remind texting people to watch where they're going and keep their heads up. Stop texting & walking people!!

       

    9. Re:Time to brick the IoT by Anonymous Coward · · Score: 0

      run those script kids' tools in a way that each class of device DoS the manufacturer's domain.

      problem solved.

    10. Re:Time to brick the IoT by Noah+Haders · · Score: 1

      Problem is, I could probably shame Samsung into fixing their IoT fridge (yes, it exists!). But there's no way you could shame a chinese knockoff company that sells products in China. There will be billions of products in Asia, Africa and South America that will be non-secure. How do you block those?

    11. Re:Time to brick the IoT by airdweller · · Score: 1

      "just have their logins changed so they are no longer a threat."
      A lot of those devices have logins/passwords hardcoded in them.

    12. Re:Time to brick the IoT by indi0144 · · Score: 1

      THE WALL, let me tell you, the Wall will block all that Mexican IoTs, it will be a beautiful cyberwall, because they are not sending their best, they are sending ddosers, they are sending script kiddies, they are sending trolls, and maybe some are Apple gadgets.

    13. Re:Time to brick the IoT by LordWabbit2 · · Score: 1

      Well if they can't be changed then it's also going to be hard to brick them.
      I was under the assumption that most of these devices have not had the DEFAULT credentials changed, the ones that the get from the factory and are printing on the box or in the user manual. When the owner realizes he can no longer login and does a factory reset it will go back to the default. Hopefully after a few times he will catch a clue and change the default login.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
  7. This is news because? by Snotnose · · Score: 4, Insightful

    We all know IoT devices have absolutely no security, we've known this for months. Yet the uninformed keep buying them (despite the "NEW AT 11 OCLOCK!!! HACKERS TAKE OVER YOUR BABY CAM" every few weeks). The uninformed can't be bothered to change the default password, even after watching the abovementioned news flash. The uninformed considered a day or three of crappy internet as "hmmm, must be hackers somewhere. But not in my neighborhood".

    We need to put a tax on the stupid/lazy. Either fine the fuck out of the vendors of these things when they get compromised (won't happen), or fine the fuck out of idiots who leave these things in the default mode and get hacked (won't happen). Until one of those 2 things happen things will get worse.

    1. Re:This is news because? by Zocalo · · Score: 3, Interesting

      Months? Try *years*. Ignoring the frivolous crap like fridges and kettles, the IoT has basically grown out of the previous generation of SCADA and Industrial Control & Automation (ICA) hardware, plus IP enabled versions of things like access control, building management systems, CCTV and so on. In almost every single case, even where you'd assume that the vendor ought to know better, the rush to get a product to market has trumped any security considerations and quite often the design can be summed up as "take an existing analogue product, put an Ethernet enabled chip on the side of it, slap an Ethernet jack on the case, give it an SKU, and update the product brochure".

      The really scary part is that that is still only scratching the surface of the problem. You also need to keep in mind that many of the original products that the IoT devices are based on are considered mature - they've been in development and on the market for well over a decade in many cases - yet researchers are still finding major security flaws in the underlying devices, e.g. the recent exploits of Siemens' SCADA systems. Factor in that in order to get the "big data" off these myriad devices and into "the cloud" to meet the necessary levels of buzzword compliance means that you are also negating any possibility of a physical air gap between the systems and the public Internet and it's been obvious for much longer than a few months that we've been heading for a major trainwreck (possibly quite literally since rail is also moving towards IoT systems).

      --
      UNIX? They're not even circumcised! Savages!
    2. Re:This is news because? by evilviper · · Score: 1

      We need to put a tax on the stupid/lazy. Either fine the fuck out of the vendors of these things when they get compromised (won't happen), or fine the fuck out of idiots who leave these things in the default mode and get hacked (won't happen).

      What needs to happen is ISPs need to be held responsible when one of their customers is DoSing the rest of the world. You'd waste your effort going after individuals. But the ISPs can cut off individuals' internet access, maybe redirecting to a "FIX YOUR DAMN INSECURE DEVICE" page, charge a fee to re-connect their internet after they've fixed the problem, etc., and those individuals will wake-up and get the message pretty damn fast.

      --
      Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
    3. Re:This is news because? by houghi · · Score: 1

      Also it was only 3500 devices. To me that could mean that it is:
      a) A proof of concept
      b) Not a very dangerous virus
      c) The IoT is pretty safe

      --
      Don't fight for your country, if your country does not fight for you.
    4. Re:This is news because? by indi0144 · · Score: 1

      isn't it hypocritical to blame the manufactures when you leave to secure a Linux in the hands of the average gadget user, but shame MS when the same average user fail to secure the windblows box correctly? Which is it? oh right, it's the programmers fault, be it Linux or Windows, it's all your fault but obviously you would never admit to it, bonus points for spinning it in the direction of our memetic nemesis M$ which is not longer relevant to the game.

  8. Better solution: by Anonymous Coward · · Score: 0

    They need to have their *COMPLETE* build environment for the firmware image to their device's source code released. Should an updated version of the source code ALSO fail security testing, all proprietary components of the system should in turn have their source code/firmware code documented and released. Should the auditing/repair of THOSE fail, then the device should be recalled at the manufacturer's expense, and/or the manufacturer permanently banned from the enforcing countries markets.

    The reason situation/issue here is that GPL'd software has been heavily abused for *YEARS* now in embedded markets without the required level of source code disclosure. A secondary, but no less troublesome issue is the level of obfuscation/encryption in modern hardware designs disallowing owners of devices from being able to reimage those devices to repair them either with binary patches to existing firmware images, or in the case of linux based devices, the ability to rebuild a complete image to the same checksums used by the originals and thus be able to audit both an original image with security issues, as well as a replacement image with those issues patched. The usage of telnet, unencrypted http, and outbound internet connections (especially for 'cloud devices' where the services are often up for only a short time and insecure themselves) is a major issue even on a LAN today, and is certainly untrustworthy for use on an internet facing device, where 40+ nation's governments may be performing DPS on the resulting unencrypted stream.

    1. Re:Better solution: by Tawnos · · Score: 3, Interesting

      AC is right in his reasons, but I disagree with the conclusion. Even audited source code has had vulns found, years after multiple audits. How you define "fail[ing] security testing" is the crux of the discussion.

      What irks me is that many of these companies (Hikvision and Dahua, for example) clearly use statically-linked, GPL OSS, but they stall (for me, two years now) in releasing source code. Hell, the piece I did get from them was a git sync of the components I called out, and not much more. Thing is, these companies are all China-based, how would you even enforce such a law upon them?

    2. Re:Better solution: by airdweller · · Score: 2

      "these companies are all China-based, how would you even enforce such a law upon them?"
      Maybe by a DoJ (DoC?) order banning their importation?

  9. Re:Missing zeros ... by Anonymous Coward · · Score: 0

    It's bitztream, the autism-hating, custom EpiPen-hating Slashdot troll!

  10. Re:Missing zeros ... by Anonymous Coward · · Score: 0

    I get that

    No you didn't - you specifically had to be told.

  11. Re:Missing zeros ... by Anonymous Coward · · Score: 0

    It's bitztream, the autism-hating Slashdot troll!

  12. Carpet bombing by scsirob · · Score: 1

    If I would wear a tin-foil hat, then I'd suggest that Asia is carpet bombing the Western digital world. The difference being that no lives are being taken (yet), no physical damage occurs (yet) and no bomber planes are flying. Oh, and contrary to physical warfare, WE ARE PAYING for our own bombs. Small amounts each time,but we buy the cr*p that comes out of Asia.

    I'm not wearing a tin-foil hat, but still I wonder if the cr*ppy firmware and spreading of so many exploitable devices isn't just part of the plan.

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
    1. Re:Carpet bombing by Anonymous Coward · · Score: 0

      WE ARE PAYING for our own bombs. Small amounts each time,but we buy the cr*p that comes out of Asia.

      So what you are saying is that they are building a botnet, and making the west pay for it?

  13. How are these devices getting opened to anyway? by drinkypoo · · Score: 1

    Are these things making uPnP requests? Or are people actually putting them up with no firewalling? Or are people's PCs getting owned and being used to spread malware behind their firewall? What's the actual vector for people to make connections to these IoT devices? It boggles my mind to think that there are still people out there without firewalls. They cost basically nothing, especially if you don't expect to converge them with an access point.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re:How are these devices getting opened to anyway? by Anonymous Coward · · Score: 0

      Are these things making uPnP requests? Or are people actually putting them up with no firewalling? Or are people's PCs getting owned and being used to spread malware behind their firewall?

      Yes!

  14. Brick them all. They will always be a by Anonymous Coward · · Score: 0

    danger to the internet. If you can infect them then brick them.