New, More-Powerful IoT Botnet Infects 3,500 Devices In 5 Days

An anonymous reader quotes a report from Ars Technica: There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices. Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6. The best-of-breed approach "is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected," a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. "To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news."

IoT needs to go away.

[Mal-2]

Whoever decided putting devices without sufficient resources to defend themselves, or be updated, directly onto the Internet was a good idea should have his professional certifications revoked and forbidden to administer anything more complicated than his own home network. And that home should probably be denied connectivity to the world.

The IoT is not necessarily a bad idea in concept, but it has been implemented exceptionally poorly, and those devices that cannot be updated need to be disconnected forever, or at least hidden on their own private networks. Vendors who cannot or will not patch their devices should be compelled to recall them, as violations of Part 15 rules against causing harmful interference.

Time to brick the IoT

[Noah+Haders]

We need a team of grey hats who weaponize these IoT security flaws. There's no way you can win the IoT security battle through publicity or conferences. I assure you the chinese crapola seller isn't going to issue a security patch.

Instead, we need the grey hats to find these IoT flaws and then brick all IoT devices that they can find. Just make it a standing rule -- insecure IoT? Bricked! This would make many OEMs pay attention to security, and for those who still don't, at least their products will be off the web.

Where can we enlist these hackers?

This is news because?

[Snotnose]

We all know IoT devices have absolutely no security, we've known this for months. Yet the uninformed keep buying them (despite the "NEW AT 11 OCLOCK!!! HACKERS TAKE OVER YOUR BABY CAM" every few weeks). The uninformed can't be bothered to change the default password, even after watching the abovementioned news flash. The uninformed considered a day or three of crappy internet as "hmmm, must be hackers somewhere. But not in my neighborhood".

We need to put a tax on the stupid/lazy. Either fine the fuck out of the vendors of these things when they get compromised (won't happen), or fine the fuck out of idiots who leave these things in the default mode and get hacked (won't happen). Until one of those 2 things happen things will get worse.