New, More-Powerful IoT Botnet Infects 3,500 Devices In 5 Days

An anonymous reader quotes a report from Ars Technica: There's a new, more powerful Internet-of-things botnet in town, and it has managed to infect almost 3,500 devices in just five days, according to a recently published report. Linux/IRCTelnet, as the underlying malware has been named, borrows code from several existing malicious IoT applications. Most notably, it lifts entire sections of source code from Aidra, one of the earliest known IoT bot packages. Aidra was discovered infecting more than 30,000 embedded Linux devices in an audacious and ethically questionable research project that infected more than 420,000 Internet-connected devices in an attempt to measure the security of the global network. As reported by the anonymous researcher, Aidra forced infected devices to carry out a variety of distributed denial-of-service attacks but worked on a limited number of devices. Linux/IRCTelnet also borrows telnet-scanning logic from a newer IoT bot known as Bashlight. It further lifts a list of some 60 widely used username-password combinations built into Mirai, a different IoT bot app whose source code was recently published on the Internet. It goes on to add code for attacking sites that run the next-generation Internet protocol known as IPv6. The best-of-breed approach "is driving a high infection speed of Linux/IRCTelnet (new Aidra) so it can [infect] almost 3,500 bot clients within only five days from the moment its loader was first detected," a researcher who goes by the handle Unixfreakjp wrote in a blog post reporting on the new malware. "To incarnate a legendary botnet code into a new version that can [target] the recent vulnerable threat landscape is really inviting more bad news."

Re:Better solution:

[Tawnos]

AC is right in his reasons, but I disagree with the conclusion. Even audited source code has had vulns found, years after multiple audits. How you define "fail[ing] security testing" is the crux of the discussion.

What irks me is that many of these companies (Hikvision and Dahua, for example) clearly use statically-linked, GPL OSS, but they stall (for me, two years now) in releasing source code. Hell, the piece I did get from them was a git sync of the components I called out, and not much more. Thing is, these companies are all China-based, how would you even enforce such a law upon them?

Re:This is news because?

[Zocalo]

Months? Try *years*. Ignoring the frivolous crap like fridges and kettles, the IoT has basically grown out of the previous generation of SCADA and Industrial Control & Automation (ICA) hardware, plus IP enabled versions of things like access control, building management systems, CCTV and so on. In almost every single case, even where you'd assume that the vendor ought to know better, the rush to get a product to market has trumped any security considerations and quite often the design can be summed up as "take an existing analogue product, put an Ethernet enabled chip on the side of it, slap an Ethernet jack on the case, give it an SKU, and update the product brochure".

The really scary part is that that is still only scratching the surface of the problem. You also need to keep in mind that many of the original products that the IoT devices are based on are considered mature - they've been in development and on the market for well over a decade in many cases - yet researchers are still finding major security flaws in the underlying devices, e.g. the recent exploits of Siemens' SCADA systems. Factor in that in order to get the "big data" off these myriad devices and into "the cloud" to meet the necessary levels of buzzword compliance means that you are also negating any possibility of a physical air gap between the systems and the public Internet and it's been obvious for much longer than a few months that we've been heading for a major trainwreck (possibly quite literally since rail is also moving towards IoT systems).