Massive Mirai Botnet Hides Its Control Servers On Tor

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Punishable by death

[JustAnotherOldGuy]

This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.

When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?

Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

Re:Punishable by death

[houghi]

If two dickheads can do it, the problem is not the dickheads. If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety. You say they are not allowed to put lead in their paint. You tell them to put safety belts in their cars. You see that they put safety measures in online devices.

Instead you allow the agency that has knowledge of problems to not solve the issue they find, but instead keep them hidden and not care if others use them,

The issue IS the guys funded at state level. They are called the NSA. And they ARE involved. And they wouldn't want it any other way. Killing two dickheads does not change that. Killing all the dickheads does not change that.

So yes, it DOES sound outrageous, because they are just dickheads. Get the frogs that allow this to happen. They are HAPPY if all you do is kill of some dickheads, because that means they can keep doing whjat they have been doing all along, they that they can fuck up up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general. It will just not be their countries, but the others country, which ever that may be.

Re:Time to outlaw the IoT

[JaredOfEuropa]

So we ban routers? After all a big chunk of that botnet consisted of hacked DT routers, and those are "things" too. Instead of outlawing the IoT, we should refrain from casually using the term IoT. To some it means sensor networks, to some it means autonomous machine to machine interactions, to some it means connected smart home devices like toasters, light bulbs and IP cameras, but others would exclude the cameras from that list.

So when another bone-shatteringly ignorant reporter mentions "botnet of IoT devices", smack him around the head with a large trout until he mentions which devices were actually compromised. Types and brands of devices, devices running a certain kind of OS or firmware, or using a specific iOt platform / board / chip. And if you tell us that the IoT is a stupid idea, please enlighten us and let us know which "things" should be kept off the internet.

Re:Time to outlaw the IoT

[dcollins117]

The "Internet of Things" was a stupid idea, so why not just ban it once and for all?

Overall, I think the idea is sound, although the lighting example you gave is a silly consequence of marketing gone awry.

A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage and the consumer could operate their devices when power was cheapest.

Unfortunately, the implementation of these devices so far has been horribly botched. Anything network-facing should be build with security in mind first, and functionality to follow. That's not what happens. Marketing sells features, not bugs, so what gets implemented is the bare minimum functionality that was sold, and security be damned.

Re:Time to outlaw the IoT

[ShanghaiBill]

Why not ban crappy routers?

Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.

Re:Time to outlaw the IoT

[BarbaraHudson]

The various government levels do in fact decide what consumers get. Or would you rather not have standards for manufacturing and operating airplanes, cars, trains, drinking water systems, food safety, etc? That's 3rd world, not America.

Same thing with consumer protection laws, other laws, the courts, etc. Or would you rather your local 3rd-world warlord dictate the law according to their whim?

BTW - the FCC already dictates router specs.