Massive Mirai Botnet Hides Its Control Servers On Tor

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

I love that their name is "BestBuy"

Something satisfying about that.

Re:I love that their name is "BestBuy"

I think more high-profile hackers should start assuming the name of corporations and celebrities to even further plunge social media into a quagmire of disinformation.

You made your bed, now lie in it.

Re: I love that their name is "BestBuy"

*His* name, you stupid pronoun-abusing transgendered twat.

Re: I love that their name is "BestBuy"

I assume you know the gender of the person responsible, therefore you're probably an accessory by not revealing their name?

Otherwise, they/their is a perfectly acceptable reference to a person whose gender you don't know, and has been since the 14th century. It's only the new wave of bigots who are trying to pretend that it's new.

Re: I love that their name is "BestBuy"

No, it's a reference to multiple persons.

Re: I love that their name is "BestBuy"

It depends on the language or culture.
Latin calls unknowns by feminine.
English used to use masculine but that offended feminists.

Re: I love that their name is "BestBuy"

"His or her" is more appropriate--but we are lazy.

Re: I love that their name is "BestBuy"

I am an English God and using they instead of he is better for your soul.

Re: I love that their name is "BestBuy"

His or her is not more appropriate because it erases the identities of non-binary people.

"Their" is the accepted word in this case. It was grammatically acceptable in the past and it is grammatically acceptable again. It's an accepted use in the OED and also the WaPo style guide.

Language evolves. Your transphobic whining won't change that. Get over it.

Time to outlaw the IoT

[BarbaraHudson]

The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.

Re:Time to outlaw the IoT

So you want to also ban internet connected DVRs and cameras as well? Good luck....

Re:Time to outlaw the IoT

[JaredOfEuropa]

So we ban routers? After all a big chunk of that botnet consisted of hacked DT routers, and those are "things" too. Instead of outlawing the IoT, we should refrain from casually using the term IoT. To some it means sensor networks, to some it means autonomous machine to machine interactions, to some it means connected smart home devices like toasters, light bulbs and IP cameras, but others would exclude the cameras from that list.

So when another bone-shatteringly ignorant reporter mentions "botnet of IoT devices", smack him around the head with a large trout until he mentions which devices were actually compromised. Types and brands of devices, devices running a certain kind of OS or firmware, or using a specific iOt platform / board / chip. And if you tell us that the IoT is a stupid idea, please enlighten us and let us know which "things" should be kept off the internet.

Re:Time to outlaw the IoT

You didn't even read the blurb, did you? 900,000 routers. Should we ban routers now?

Re:Time to outlaw the IoT

We already have IPv6 which is incompatible with the real internet. Just outlaw dual stack.

Re:Time to outlaw the IoT

[BarbaraHudson]

Not a problem. They don't stop people from breaking into your house, or committing crimes, so they just give a false sense of security.

Re:Time to outlaw the IoT

[BarbaraHudson]

Why not ban crappy routers? It gets p0wned, it gets fried. Spend more on a better one next time.

Re:Time to outlaw the IoT

[BarbaraHudson]

You didn't even read the blurb, did you? 900,000 routers. Should we ban routers now?

Absolutely yes. Any router that is easily p0wned should be banned. How could you be against that?

Re:Time to outlaw the IoT

[dcollins117]

The "Internet of Things" was a stupid idea, so why not just ban it once and for all?

Overall, I think the idea is sound, although the lighting example you gave is a silly consequence of marketing gone awry.

A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage and the consumer could operate their devices when power was cheapest.

Unfortunately, the implementation of these devices so far has been horribly botched. Anything network-facing should be build with security in mind first, and functionality to follow. That's not what happens. Marketing sells features, not bugs, so what gets implemented is the bare minimum functionality that was sold, and security be damned.

Re:Time to outlaw the IoT

[Known+Nutter]

p0wned

It's "pwned," you idiot! You sound like a damn fool when you say it wrong.

Re:Time to outlaw the IoT

[ShanghaiBill]

Why not ban crappy routers?

Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.

Re:Time to outlaw the IoT

Hold the producers liable for such sloppy security programming. The reasoning isn't that different from building regulations: bad construction can cause serious harm to others.

Re:Time to outlaw the IoT

Because banning stuff is idiotic public policy.

There are lots of ways to violate code. Yet somehow the construction business doesn't look like North Korea, and somehow the code doesn't say that there should be NSA bugs in every interior wall in a house.

Re:Time to outlaw the IoT

[BarbaraHudson]

We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.

Re:Time to outlaw the IoT

[BarbaraHudson]

And you look like a damn fool for not knowing the original spelling way back when. Bite me.

Re:Time to outlaw the IoT

[BarbaraHudson]

The various government levels do in fact decide what consumers get. Or would you rather not have standards for manufacturing and operating airplanes, cars, trains, drinking water systems, food safety, etc? That's 3rd world, not America.

Same thing with consumer protection laws, other laws, the courts, etc. Or would you rather your local 3rd-world warlord dictate the law according to their whim?

BTW - the FCC already dictates router specs.

Re:Time to outlaw the IoT

[BarbaraHudson]

You still need to remove the routers from the network, the sooner the better. It can take years for a lawsuit involving bad construction to work it's way through the courts.

Re:Time to outlaw the IoT

[wbr1]

Why not ban crappy routers?

Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.

I already have a Nightly Snoring Asshole in my bedroom...

Re:Time to outlaw the IoT

Go fuck yourself, both of you are dipshits.

Re:Time to outlaw the IoT

[AHuxley]

Think of all the US job that could be created in making CCTV, toasters, ovens, refrigerators, cars, outdoor and sports equipment that needs to connect to the a cloud, local subscription services or needs ongoing support fees.
Thats trendy new inner city "internet" jobs in the USA supporting US device and products.
Its not the fault of the small US start ups teams trying to get their products and rental services online.
To fix the IoT networks just get the vast majority of AV brands to test local networks and every device on it, modem and everything behind it.
If the device responds to admin, pass or password or some other weak junk US consumer grade crypto then the AV software should tell the user every scan.
The user can then alter the default password to something stronger or ask the brand for support or an upgrade.
AV brands could then keep lists of devices and good brands that are secure or that will always report back weak junk settings.

Re:Time to outlaw the IoT

[edtice1559]

Time of day pricing shifts demand. The IoT portion is what allows us to shift use. I can't run home from the office at 3pm to start the clothes dryer because power suddenly gets cheap. But it could start itself based on current prices. Historically our use shifting was crude. Middle of the night was cheaper so just put stuff on a delay. But with the advent of renewables the curve is much more complicated.

Re:Time to outlaw the IoT

[Scarletdown]

p0wned

It's "pwned," you idiot! You sound like a damn fool when you say it wrong.

Guess the GP didn't drink his Pwn Tang this morning.

Re:Time to outlaw the IoT

[Scarletdown]

Sorry. Should have been her, not his. Didn't catch the error in time.

Re: Time to outlaw the IoT

No, they don't. The FCC provides rules for operation and emissions, but nothing about specs.

You truly are one dumb mother fucking troll with one bad idea after another.

You think quality and/or security is correlated with price. Seriously, you are a fucking troll and your Internet access should be limited and supervised.

Re:Time to outlaw the IoT

Modern America just isn't so hot. Lots of **lead paint etcetc**. Norway is not - no lead paint cause lots of things are banned ! And the Norwegian woman are smarter & better fucks and the salmon run harder faster longer. It's the law !

Re: Time to outlaw the IoT

LOL Norwegian farmed salmon is toxic, google it. IT is being banned ;)

Re:Time to outlaw the IoT

Why not ban crappy routers?

Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.

How about enumerating the simple spec criteria that if the device is ever found malfunctioning in a way that is materially damaging someone else's network, and the device manufacturer is unable or unwilling to fix the problem, the device owners shall be entitled to the development materials needed to fix the problem themselves presuming they have an ordinary CS/whatever education and the willingness to invest the necessary time and effort. I know that is a pipe dream, but I actually think it would accomplish the goal.

Re:Time to outlaw the IoT

[MrL0G1C]

"Any router that is easily p0wned should be banned."

This isn't necessarily known until the vulnerability is found, are routers to be banned on the basis of whether they have the latest firmware update? If you ban a router that doesn't have the latest firmware update then it's potentially much harder to then download the firmware update.

What would an ISP do, disconnect all of it's customers the moment a vulnerability is found in their routers? Doesn't seem like a good idea to me.

If the vulnerability is in a IOT-device then how does the user know when said device is banned, are they supposed to check a register of thousands of banned devices every day?

Re:Time to outlaw the IoT

[thegarbz]

The "internet of Things" was a stupid idea, so why not just ban it once and for all?

What makes you say that?

Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch.

Oh right. Ignorance made you say that.

The world would be a better place either way.

False. Maybe look at what IoT actually is in the grand scheme of things instead of just assuming it's your internet connected kettle and shitty lights that change colour before you talk about banning something.

Re:Time to outlaw the IoT

[thegarbz]

We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.

Er no. No it doesn't. It barely works. Fine is not a metric anyone in the energy providing industry would use right now.

Re:Time to outlaw the IoT

[JaredOfEuropa]

That sounds more like isolating them rather than banning them (maybe you mean ban as in "banned from a discussion board" rather than "banned from sales"). That would be fine.

The other day I got a notification from the domain registrar that also hosts email for my domain: "Account X on your domain has been used to send loads of spam through our SMTP server, so we are suspending your access to that server until you resolve the problem". Bad news, but good that they actually monitor this server and notify owners of compromised accounts. Turns out one account was using a rather weak password; I changed it and was back in business. I would be ok with ISPs doing something similar, cutting off (or severely limiting outbound traffic of) known compromised subscribers.

What I would really like to see is a good, very restrictive but easy to configure firewall for home use.

Re:Time to outlaw the IoT

Back in the days of dial up modems for access an ISP would be very proactive about spammers or people cuasing trouble. When I first started my ISP if I could track spam from my mail server to your PC I would cut your service (deny your login) until you called tech support and you downloaded a free virus scanner to remove it.

But now a days ISPs are just lazy, or don't enforce their own TOS even though most include some sort of written policy against spamming.

We, via the ISPs, have made it clear that we will tolerate garbage on the network as long as things 'generally' work.

Having a enterprise level 'scan' of hardware, a PROACTIVE ISP that cuts your service until the issue is remediated and kicking off ISPs at peering points that don't comply is the only way to sanitize the network.

Re: Time to outlaw the IoT

Haha, does that guy seem like the sort of guy who would eat a farmed salmon? And if you are eating farmed salmon, you need to stop, but it sounds like you got that memo.

Re:Time to outlaw the IoT

This just keeps getting better :D Giggidy!

Re:Time to outlaw the IoT

[jgullstr]

let us know which "things" should be kept off the internet.

To prevent Mirai, things with default passwords. Any (accessible) Linux device with a common user/password will be infected within minutes of being connected to the Internet.

Re: Time to outlaw the IoT

Time to come up out of the basement and have your milk and cookie - it's nearly bedtime, don't make momma angry.

Re:Time to outlaw the IoT

If you could fuck off trying to shove the "market" into commodities, that would be swell. I don't WANT a "best price" for power, because that inevitably means I either pay too much or its quality drops so low that I better build my own power plant.

Capitalism is a failure.

Re: Time to outlaw the IoT

That's not exactly right.

The public decides who they trust to make the decision for who makes decisions who make decisions for them. Then you get America.

America is a republic with democratically elected officials.

Just to note, pure democracy has largely been recognised universally as unworkable.

At the end of the day it's about a balance, not black and white. Extreme left and extreme right are both extremists.

Re:Time to outlaw the IoT

The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.

When I was a kid in the 1960's, we had this extraordinary AI system to turn off the lights: You didn't have to say a word, or press a button, you simply clapped your hands, and the lights magically turned off! Clap again, and the lights came back on! For the life of me, I canna recall the name of this Star Trek-like product.

Re: Time to outlaw the IoT

But, then, why should the government ban "something" if all thing are created equally. Lead is a good wood preservative in most applications, just you should not eat or drink it. It anti bacterial, anti viral, and paint able. Does that mean no painted toothpicks? For kids?

Re:Time to outlaw the IoT

[BarbaraHudson]

Let's look at one example - remote managing of a tank farm. It's been proven that all you need to do to take the complex over is a device plugged into the local network. Since there's nobody around to see suspicious activity (and don't start with the whole IP TV cameras bs - even if you saw someone doing something, the response time would be a lot longer than someone on site, so inherently not a deterrent.) So, take control of one of the pumps, fill up a tanker, disconnect and drive off. All the remote location would see is that one pump is down, schedule a maintenance call.

It's the same with home monitoring systems. You know that if you break in you have a delay during which the owner is supposed to enter a code, and only then is an alert sent to the monitoring station, who then has to call the home to verify that it wasn't a false alarm before calling the police (municipalities got fed up with responding to false alarms, so big fines, disconnects, and refusals to respond to ANY call from the monitoring company ensured compliance). So you have a couple of minutes before the cops are notified. There are videos of people stealing the whole camera setup, including the dvr connected to the internet. Even a dog is a better deterrent, because the cops take time to get there once the local monitoring company calls them, and it's not a high-priority call because the cops know that the thieves will be gone by the time they get there, and no lives are in danger. In two minutes, they've got your big screen tv removed from the wall mount and they're gone, leaving behind a damaged door and wall. With a dog, you're more likely to still have your tv, your door and wall.

Nothing replaces a set of ears and eyeballs on the ground. Plus, a human can call the police directly, and the cops will respond quicker, not only because of the lack of time wasted by the monitoring company, but because there's a person potentially at risk.

Just ask the London police how ineffective their CCTV cameras and 2-way speakers are in stopping a crime in progress.

Re:Time to outlaw the IoT

[BarbaraHudson]

Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here. A reduced rate all summer and whenever the outside temperature is above -12C, and a (much) higher rate when the outside temperature goes below -12C. People shift doing their laundry (hot water, electric dryer) to take advantage of off-peak rates. After all, who wants to pay double or more when they can delay it until the daytime when it gets warm enough for the rate to go down?

By the same token, people lower the heat at night because it saves $$$ if you're on the dual-energy rate plan. Maybe you just need to get to where we were 2-3 decades ago.

Re:Time to outlaw the IoT

[BarbaraHudson]

If the product is known to have more holes than a slice of swiss cheese, why not an outright ban? Once manufacturers learn the hard way that customers are going to avoid their crappier products and demand refunds, they'll either get out of the business or fix the problems in future products. Either way, problem solved.

That's supposed to be how the invisible hand of the market is supposed to work.

Re:Time to outlaw the IoT

[BarbaraHudson]

You clapped your hands, which is why it was called "The Clapper." :-)

Re:Time to outlaw the IoT

[Scarletdown]

Even better? How about Pwn Tang provided in their own tea bags? The ultimate gamer geek victory drink. :D

(And yes, I am aware I am totally murdering the rules of sentence structure and punctuation this morning. But as we say in the Duchy of Don't Give a Shit though; at least when we are posting first thing in our waking day while still working on that first cup of coffee, "Frankly my dears, I don't give a shit.") ;)

Re:Time to outlaw the IoT

[thegarbz]

Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here.

Oh no we most definitely do. Variable pricing, peak / off peak times, on / off peak circuits. We got all that. It is barely working. The change it has made on the broad industry has been minute at best because it is behavioural and ultimately still manual. People don't dedicate a lot of time for minimal savings and cry for regulation when the expenses become too high. A true smart grid can offer so much more which is primarily why it is industry driven as a solution to the very real problems they are facing.

Re: Time to outlaw the IoT

[Zero__Kelvin]

Jesus Christ. Just admit that you don't understand what the internet is and how it works and move on with your pathetic life. Only an ignorant moron would run around spewing the ridiculous drivel you have been spewing in this thread.

Re:Time to outlaw the IoT

[ArmoredDragon]

That's the dumbest idea I've heard yet for a solution to this. You can't ban something from the internet on an application basis, (and yes, IoT is just another application as far as the internet is concerned) otherwise that sets a precedent for banning practically anything that governments or whoever doesn't like. The MPAA for example would be able to justify banning things like youtube and bittorrent.

Re:Time to outlaw the IoT

[K10W]

The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.

are you trolling or serious as I'm not sure? Just because you don't see the appeal of something isn't a reason, it is an opinion, and doesn't help much anyway since if you need enough sec news you'd see smart things are a very small portion of that iot botnet numbers. Iirc webcams where one of the biggest in the latest analysis. The actual issue is many vendors have no incentive to secure their products. I don't mean they are not properly hardened I mean they don't do ANYTHING to even try to.

The vendors need ot be given incentive to want to invest time and money on it or fear it'll fuck with their bottom line. Secondly consumers need to be given incentive to both care as the issue does affect them, although they link in chain as ignorant enablers albeit not the direct cause and help them to put demand on vendors to meet that rather than make the customers liable instead of the companies which is doomed to fail too never mind unfair. Consumer pressure to meet a requirement etc works in other industries. Hard to know what to do as it is multiaspect issue and not straightforward but sort of good suggestion I read from commenter on Schneier's blog a while back would possibly work which was to notify owners and hold them legally liable for what the devices are used for if they repeatedly ignore or ignore after time period of first confirmed notification and force consumers to demand vendors of webcams, most provided by isp routers and other stuff to secure their stuff.

You'd need to do similar like open vendors to legal challenges ffrom consumers if they don't try to secure their product properly (or at all). Another issue is the isp's don't give a shit as they gain from the increased traffic thus they have been sitting on their hands in many cases and it has been pointed out more than once by industry people so you need to deal with that too. Same goes for governments who also don't necessarily want to find a "fix" for things than can be utilised by them should they ever wish to. Complex issue like I say, understand now? Alternately we could just ban every iot device like you suggest including routers although it means no more reading oversimplified comments from clueless people so there is some merits to that.

Re:Time to outlaw the IoT

[BarbaraHudson]

Elsewhere I mentioned other IoT product that are flawed, such as DVR video security systems with remote monitoring (thieves will be gone before the cops get there), remotely-administered fuel pumps (already hacked), and a few other things. IoT is fundamentally flawed.

Re:Time to outlaw the IoT

[K10W]

Elsewhere I mentioned other IoT product that are flawed, such as DVR video security systems with remote monitoring (thieves will be gone before the cops get there), remotely-administered fuel pumps (already hacked), and a few other things. IoT is fundamentally flawed.

Don't get me wrong I totally agree they are flawed, and for all my sarcasm my own opinion is very similar but that doesn't mean there isn't value in it for others. I personally feel most of those things add more problems than they solve and are net connected for the wrong reason.Jjust connecting things to the net that don't need to be, and where the wireless is necessary and you need smart versions keep it on intranet would work for most the applications. However my feelings wont ever fix the issue, just like complaining about carbon emissions from planes doesn't do anything to stop people taking flights.

Sometimes I've complained about shit being silly until someone has corrected me on "our business uses that silly functionality for ...." and I have a big "ohhhh" moment and then it makes sense. Some IoT may be a godsend for niche uses, people with a disability and so on and really be more than just because we can kind of things. Sure we can spot the flaws in "some" applications but there will be valid uses too. An of the none essential use people still have a choice and we can't dictate that. What does indeed need fixing is the actual issue though, sadly it will likely come to severe shtf time before sensible action is taken (note the sensible as I'm sure there will be bad "fixes" before the issue is resolved. UK government is rather fond of that approach).

Re:Time to outlaw the IoT

If the biggest companies decide what consumers get, you end up with America.

FTFY

Stop pretending there's a free market.

Re:Time to outlaw the IoT

So your plan is to pay a homeless person minimum wage to sit and keep an eye on your TV.
Sounds much more expensive than just having insurance and buying another TV.
Maybe investigate training the dog to call the cops.

Re:Time to outlaw the IoT

[BarbaraHudson]

So your plan is to pay a homeless person minimum wage to sit and keep an eye on your TV. Sounds much more expensive than just having insurance and buying another TV. Maybe investigate training the dog to call the cops.

Never said that, so don't put words in my mouth. A dog on the premises is cheaper and better, and works for table scraps and dog food. Also, dogs can hear someone before you can, and can tell just by the sound of their walk if it's a friend or not - and growl accordingly as required.

Place I was working at, they had 2 German Shepherds that roamed the premises at night. A former employee broke in to rob the place, they let him get in, no problem. Then they made sure he didn't leave unto someone showed up.

IoT security systems wouldn't have been nearly as effective. The guy would have walked away instead of getting 2 black eyes - I mean slipped and hurt himself.

Re:Time to outlaw the IoT

[TechnoJoe]

Unless a product violates specific enumerated criteria

I think we can specify an enumerated criteria as not persistently sending out harmful/malicious traffic to the public internet. I don't care if YOUR network gets hacked, but when your network attacks my network, it's my problem. At that point, I think you can justify some intervention (not necessarily government, maybe ISP, but something). If a PBX (private telephone exchange) got hacked and started making hundreds of calls to 911, you can bet people would get on that rapidly, instead of the nonchalant attitude about routers being hacked.

I realize my definition might be too broad or vague for your comfort, but once an actual attack begins, the traffic pattern, profile, or signature will be apparent. Then go to the ISPs and say, "This is coming from your network. Stop it." Make the ISP own it. That includes making sure ISPs block traffic attempting to leave their network that claims to be from outside their network. Not sure if consequence is lawsuit by the victim of the attack, the government cutting off the ISP that doesn't make a good faith effort to shut it down, or something else. However, I'm pretty sure it would be better than what we have now.

Re:Time to outlaw the IoT

Or, you know, you could end up with a:
https://en.wikipedia.org/wiki/Aston_Martin_Vulcan

A sports car (not a race car) that's not legal for the road. I could live with one of those.

Re:Time to outlaw the IoT

[Radiophobic]

Neither countries look like good options at this moment. Besides, you might want to consider the little grey area in between North Korea and the US?

Re:Time to outlaw the IoT

TMI. Readers don't care.

Re:Time to outlaw the IoT

[Coren22]

That includes making sure ISPs block traffic attempting to leave their network that claims to be from outside their network.

How would that work? Most of the big ISPs are transit providers, they can't block that traffic at the border. I suppose they could block it at the home portion of the network, but that would cause them to have to process rules on massive amounts of traffic, making the routers 10x the price, over the entire network.

They don't have to take down .onion servers

They just have to block Tor traffic.

Re:They don't have to take down .onion servers

And how do you practically do that when it's using a bridge over ports 80 and 443?

Re:They don't have to take down .onion servers

Deep packet inspection.

Re:They don't have to take down .onion servers

Over port 443 (HTTPS)?

Do explain.

Re:They don't have to take down .onion servers

[fustakrakich]

Trivial.

You don't really believe HTTPS is secure, do you?

Re:They don't have to take down .onion servers

Do you understand how tor bridges work? Those HTTPS certs are dynamically generated and not in control of any CA.

Re:They don't have to take down .onion servers

[fustakrakich]

Even worse. Anybody can make a fake

This is not only a virus of light bulbs

The IOT is a buzzword. There are many devices compromised by this hack that really do belong on the internet, albeit with additional security. Cameras, routers, etc... this is not only a virus of light bulbs.

Additionally, having command and control servers hiding on TOR is likely a vector to be taken by future bot-nets.

Re:This is not only a virus of light bulbs

A control server on Tor is not novel, it was done before by some Zeus banking trojans. It is a quite logical step, especially if you are targeting linux based embedded systems. You simply compile a tor binary and drop it on the system. Then you make your botnet connect via the socks proxy it provides.

DDOS

"Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Once you find the .onion address, DDOS it.

Of course, that would
* be illegal, unless of course you are the law or have the blessings of the law
* hurt the Tor network itself, which in the short term does more harm than good

Re:DDOS

So what's the downside here?

Re:DDOS

Dipshits that use tor to hide their collection of child porn and buy sex slaves would cry.

Re:DDOS

[Vlad_the_Inhaler]

* hurt the Tor network itself, which in the short term does more harm than good
The goalpost is moving. Assisting the destruction of the 'net is going to leave Tor more vulnerable than they have ever been. My money is on someone identifying BestBuy, he has accumulated too many enemies.

Re:DDOS

Maybe "BestBuy" is a three-letter-agency false flag operation, and shutting down TOR is exactly what the people behind it want.

Punishable by death

[JustAnotherOldGuy]

This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.

When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?

Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

Re:Punishable by death

Lets face it, like most of america, you just can't face loosing access to your porn supply.

It's just the internet, if your emergency services infrastructure is brought down by this sort of attack then the people responsible for signing off on it should be the focus of you ire.

Re:Punishable by death

[houghi]

If two dickheads can do it, the problem is not the dickheads. If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety. You say they are not allowed to put lead in their paint. You tell them to put safety belts in their cars. You see that they put safety measures in online devices.

Instead you allow the agency that has knowledge of problems to not solve the issue they find, but instead keep them hidden and not care if others use them,

The issue IS the guys funded at state level. They are called the NSA. And they ARE involved. And they wouldn't want it any other way. Killing two dickheads does not change that. Killing all the dickheads does not change that.

So yes, it DOES sound outrageous, because they are just dickheads. Get the frogs that allow this to happen. They are HAPPY if all you do is kill of some dickheads, because that means they can keep doing whjat they have been doing all along, they that they can fuck up up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general. It will just not be their countries, but the others country, which ever that may be.

Re:Punishable by death

I like how "death" and "twenty years" are similar in your mind.

Re:Punishable by death

[bug1]

When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.

crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

Maybe try a technical solution to a technical problem, like not having publicly accessible Internet for critical infrastructure.

Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

Yes it does, your a crazy extremist

Re:Punishable by death

Thank you for beating me to it.

This is not terrorism, though it is reckless endangerment.

Re:Punishable by death

Best Buy is dead to me already. ;)

Re: Punishable by death

More emergency and other critical infrastructure runs on the public net than you think . Before you say they are stupid to do so, remember their mandate is provide services not nuclear launch safe secure parallel net.

Re: Punishable by death

[manquer]

Difficult to identify, catch, jurisdiction problems in foreign countries... The manufacturers who sell insecure shit woth hard coded / staic default passwords on the hand should be fined steeply

Re:Punishable by death

The issue IS the guys funded at state level. They are called the NSA. And they ARE involved. And they wouldn't want it any other way.

Nailed it. They wouldn't want it any other way ... unless they had a spasm of integrity and decided their job was to ensure national cyber security rather than ensuring global cyber insecurity. Oh, but then asses would be uncovered.

Re:Punishable by death

they should just send chris heimsworth or whatever his name is (the thor movie guy) so he would shiv the shit out of the perpetrator, penitentiary style, wham wham wham!!!, 3 in the neck 7 in the chest, no more botnets for you mr hacker!!!

nah, thats too much, now 20 years incarceration in guantanamo while the hacker is forced to watch mr robot out of sequence over and over again, now thats... thats terror, terror built into the system

Re:Punishable by death

[JustAnotherOldGuy]

If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety.

I'm sure the thousands of fly-by-night Chinese manufacturers making this stuff will jump to attention and immediately follow our demands to make their shit safe.

Re:Punishable by death

[JustAnotherOldGuy]

Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.

Then maybe it's time to update the definition. It sure sounds and smells like terrorism to me. Crippling an entire country's economy and infrastructure seems like a violent act, even if it's done through a keyboard.

-

Yes it does, your a crazy extremist

First of all, it's "you're", and second, what's your point? It's okay to fuck over an entire country and potentially cause thousands of deaths, but I'm the extremist when I say we should lock the perpetrators up for 20 years?

Re: Punishable by death

[JustAnotherOldGuy]

Difficult to identify, catch, jurisdiction problems in foreign countries...

So was Bin Laden and we buried that motherfucker at sea.

Re:Punishable by death

[gweihir]

The tiny problem with that is that penalties have zero preventative effect. Criminals do not assume they will get caught. Hence while this does serve a primitive desire for revenge, it will not do anything about the problem at all.

In addition, the penalty is quite out of proportion to the crime. In fact, the actual access will not even be a crime in many legislations, because the devices were not secured at all, no hacking needed. The real problem is badly secured and not-secured IoT devices. If you put open barrels of gasoline all over the city, it is really no surprise if it burns down and the person providing the spark that triggers it has actually only a very small part of the blame.

What should happen is that those operating grossly insecure IoT devices like we are talking about here should be subject to fines, say $200, and a discovery, blocking and unblocking fee of, say $100 to the ISP. If the ISP refuses to identify and block, have them pay that fee per instance. Users/ISPs can then try to get that back from the manufacturer. (Fat chance...) That would cut down on this nonsense pretty fast.

Re:Punishable by death

[gweihir]

Very much this. The script-kiddies are at best vandals. Vandals are never the root-cause of a problem, they are just an annoyance. Those that allow this to happen when they could prevent it are willfully endangering critical infrastructure and that is just completely unacceptable.

Re:Punishable by death

[gweihir]

Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in. Sure, that would need to be done in a lot of countries, but a concerted effort is the only thing that helps anyways.

Re:Punishable by death

[JustAnotherOldGuy]

The tiny problem with that is that penalties have zero preventative effect.

Actually, this isn't wholly true. It's a popular misconception that that penalties don't change behavior. Penalties do have some effect, although there will always be those who will take the risk. For example, would you sell or smuggle drugs if there was no penalty? How about committing fraud, or theft, or murder? A lot of people would do those things if there was no penalty, but many of those people look at the downside of getting caught and opt not to do it.

And frankly, prevention isn't necessarily the end goal. Twenty years in prison would have the effect of preventing these people from continuing to commit this kind of crime. It's kinda hard to build and run a botnet from solitary confinement. (A quick, painless execution also tends to hamper that sort of thing, to be frank.)

Re:Punishable by death

[JustAnotherOldGuy]

Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in.

And who will do all of the testing required to make sure that all of these devices are safe or not exploitable? Where will the manpower come from to find and test the millions of devices that come into the country?

I agree that companies should be held responsible for insecure hardware, but it's a moving target that's going to be nearly impossible to hit again and again and again.

Re:Punishable by death

[mrchaotica]

IMO, the only practical way to combat this would be to create a vigilante botnet that bricks everything it infects.

Re:Punishable by death

I've said it before, find these motherfuckers and pull their plugs on PPV, live! They are terrorists plain and simple. Time to start treating them as such.

Re:Punishable by death

[houghi]

See where I used lead paint as an example? Can you buy kids toys with lead in them? Because China makes them.

And yes, if the companies ask to produce secure items, the Chinese would be happy to add it. You pay, they produce what you tell them to produce.
The do not (yet) develop. They produce. So it is up to the American (and other) companies to develop the systems to be safe.

Re:Punishable by death

[gweihir]

And how does that happen, say, for children's toys containing lead? The problem seems to be pretty similar to me...

We are not talking about hard to find vulnerabilities either. We are talking things like telnet-access, default-passwords, no-passwords and no update possibilities. All not hard to determine.

Re:Punishable by death

[gweihir]

You need to have a serious look into the literature. Nothing you propose works. And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?

Re:Punishable by death

[pestilence669]

If a bunch of teenagers can crush an economy, then the foundation of that economy is faulty. You don't build critical infrastructure around it, ignoring and leaving your vulnerabilities exposed. This new generation of technologists have thrown best practices out the window. Nobody looks at single points of failure anymore. Increase the punishment for pressing the big-red button?

Re:Punishable by death

[JustAnotherOldGuy]

If a bunch of teenagers can crush an economy, then the foundation of that economy is faulty.

If a bunch of teenagers can burn your house down, is the house faulty?

Everything is "faulty" in one way or another, but that doesn't give anyone a free pass to destroy it.

Re:Punishable by death

[JustAnotherOldGuy]

And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?

No problem, we'll house the "next one" in the cell next door to the first one. (Or the next empty cemetery plot.) And so on. Just because we can't prevent it doesn't mean there shouldn't be penalties, right? That's what 99% of the laws on the books are all about- punishing offenders, not preventing them from committing crimes.

I already said that some people aren't deterred by the threat of death or imprisonment, but that's going to be their problem when they get caught, not mine. Locking them up (or lopping off their heads) will certainly keep them from continuing their criminal behavior.

Re:Punishable by death

[gweihir]

So you do not mind the problem persisting as long as you can brutalize or kill a few people? Talk about a cave-man mindset.

Re:Punishable by death

[bug1]

There needs to be a political goal for it to be considered terrorism.

The law is based on precedents and consistency in judgements, reinterpreting legal definitions because your afraid is just terribly selfish. Why cant you just use other words ?

If someone sabotages equipment that leads to thousands of deaths, then there are other laws to cover that.

The law should not be used as propaganda

your, your, your, your :)

Re:Punishable by death

[JustAnotherOldGuy]

So you do not mind the problem persisting as long as you can brutalize or kill a few people?

Are you saying we shouldn't punish people for committing crimes? That seems stupid and naive.

Re:Punishable by death

[JustAnotherOldGuy]

Why cant you just use other words ?

Fine, use other words if that makes you happy.

Improve consumer firewalls

[davidwr]

It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.

If you want to allow your thermostat to talk to a specific external host then punch a very narrow hole in the firewall to allow it.

Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.

This will require industry cooperation:
* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
* ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off. If you use one of these new routers, it's much less likely that bad things will come out of your network."

Re:Improve consumer firewalls

I love when people think ISPs will willingly deny themselves money for altruistic reasons, its so cute. And totally unrealistic.

Re:Improve consumer firewalls

[davidwr]

I love when people think ISPs will willingly deny themselves money for altruistic reasons,

Or lawsuit-prevention reasons.

How soon before someone successfully sues an ISP for failing to cut off someone once they are notified their customer has a bot or other malicious machine on his LAN?

Re:Improve consumer firewalls

* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer

Giving consumers access to the firewall? What could possibly go... oooh, dancing pigs!

Re:Improve consumer firewalls

Then you'll just end up with UPnP type solutions.

Re:Improve consumer firewalls

[thegarbz]

It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.

Sure because users are that clued on in IT stuff now. They can't even change their default passwords but they'll manage a firewall no problems.

* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer

Something like UPnP? Yeah let's develop a firewall along with a protocol to punch holes through it automagically.

ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off.

Tell customers that they will cease being your customers and you don't want more money from them? When has something like this every had the cooperation of industry? ISPs are fighting against cutting customers off when they have legal requirements to do so, you think they're just going to do it on a whim?

Re:Improve consumer firewalls

Willingly deny themselves money? Where did he say anything about the ISP not billing you for their security services? Or for you having an active account in their system? "Cut off" simply means a temporary disconnection due to TOS violations, not a complete severance of service. You will continue to be billed for it.

And most ISP's are going to demand that you have an in-compliance account in order to cancel service without some serious arbitration, just so you don't take your poorly-configured ball and go to the next ISP in the vain attempt to circumvent the rules.

Re:Improve consumer firewalls

[mrchaotica]

Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.

LOLWTF? Does nobody use hubs or switches anymore? It seems to me the best way to keep my LAN data from leaking out my WAN is for the router to not be involved in transmitting it at all...

HNIC

*yawn* Its Hockey Night In Canada!

Better punishment

[davidwr]

Force all their internet through a proxy that routes everything to goatse for the next 20 years to life.

I can almost hear them screaming:

"My eyes, they burn, kill me now, please kill me now."

Typical precursor to heavy-handed legislation

[golodh]

It's interesting to see history repeat itself (again). Years ago you had some very vocal pimply-faced youths who jeered about how they were illegally distributing copyrighted works (software, music, video, books. Stupid companies! No copyright protection, lame copyright protection ... easy meat !

Result ? Among others the DMCA. Various individuals were sued into bankruptcy by the music industry, just to show people what the risks were (remember single mother Jammie Thomas ? See: https://en.wikipedia.org/wiki/...) . Some were driven to suicide (see https://en.wikipedia.org/wiki/... ).

What shouty nerds tend to forget is that (like it or not) they are part of a society that can (and does) sets certain limits on their behaviour. Which can be enforced. With or without their consent.

Tor routers can be a force for the good (avoiding censorship, protecting human rights activists, protecting investigative journalists) but they really _can_ be eradicated, given sufficient incentive.

Just outlaw the servers, force ISP's to scan all Internet traffic for TOR servers, log any connections and isolate / report them as soon as they're detected. Send a SWAT team to visit anyone who connects to a TOR server to seize their computers pending investigation. Set penalties sufficiently high to pay for all that and publicly sue a few tens of offenders into bankruptcy.

Should cow 99% of all TOR users, right? The 1% who aren't cowed are probably up to no good anyway.

A bit like China. Not pretty, and people won't like it, but it really can be enforced.

The detection and tracking part is already in place. Just consider the raft of deep-packet inspection routers that has been installed already (see https://en.wikipedia.org/wiki/... ).

I'm not saying I'd like to see something like that (I wouldn't). All I'm saying is that stupid and venal abusers like this a**hole botnet operator make it that much more likely that something like that will occur. Whether we realise it or not. To the detriment of us all.

Re: Typical precursor to heavy-handed legislation

I would support it, as long as we got good Chinese food like they do in China.

Re:Typical precursor to heavy-handed legislation

I would. Fuck tor.

Re:Typical precursor to heavy-handed legislation

Well, with a botnet as large as Mirai (or even one that is a lot smaller) you could easily make your own tor or other P2P network. It wouldn't surprise me if this will overload Tor, it is ~400k nodes after all. There are about 1k relays, and every circuit to a hidden service uses ~6 connections. This would result on average in 2400 connections per node, which is more than the default ulimit of 1500.

Re:Typical precursor to heavy-handed legislation

you sound like a transexual globalist and im gonna fight you with super male vitalogy and dna power

Re:Typical precursor to heavy-handed legislation

[gweihir]

You can. And you can even read up on how to do it right. Add cover-traffic, and there is no way to ever identify where commands have been inserted into the bot-net. You lose a bit on the real-time control side, but not much. Using Tor here is a _convenience_, it is not a _necessity_.

Did not work with mail

[Demena]

So, any site that handles email without a "postmaster" or which has a "do-not-reply" address should be booted off the Internet?

The Internet is not designed for 100% reliability.

[Mal-2]

The network itself may have a pretty good track record of never totally falling over, but there is no guarantee at any given moment that there will be connectivity where you are, right now. Networks and entire countries can be cut off, and an emergency responder had best assume in a SHTF scenario that data service will be intermittent to completely unavailable. What happened to the radios in the cars? Those won't just stop working (unless it's an EMP attack, but what good is a network connection if all your gear is bricked?) and were the state of the art not that long ago. If they don't want to maintain a radio network in addition to the Internet-reliant communications, then they're going to have to pass out handhelds when it happens. If they aren't keeping any backup plan in place at all, they're complete idiots because this doesn't require buying more gear, it just means maintaining the gear they owned before. (Or someone higher up forced them to do so, for self-serving and/or malicious purposes.)

The internet being unavailable should not be a life-threatening emergency, except possibly to the degree that hospitals will be unable to access patient files who are there for treatment after whatever actually went wrong that day. Even that could be avoided if hospitals all had to mirror the host every so often, but any /. reader will know how incompetent healthcare IT has proven to be.

off-peak-only hot water heaters

[davidwr]

Decades ago some cities had houses with 2 electric meters.

One fed the hot water heater (the kind with a tank) but the power company would turn off the electricity for, say, 15 minutes at a time on a "rolling" basis during peak usage. In exchange, the "hot water heater" electricity rate was lower than the regular rate.

Since hot water stays hot for a long time, you wouldn't notice it unless everyone in your house was taking a long shower at the same time the power was cut.

Oh, and since this was decades ago, it was in a time when the power grid was managed almost completely by "analog" devices, including "analog computers."

Re:off-peak-only hot water heaters

[edtice1559]

And this works just fine for hot water heaters where you can just pull the power out from under them at any time. It doesn't work well for clothes dryers, refrigerators, et cetera.

Never let a good crisis go to waste

One of my jobs in the past, was crisis potential utilization.

we didn't generate a crisis. But we noted where potential problems existed, then take actions 3 steps removed to influence other pieces to get closer. Say you find a mop closet storing petrol, ether etc. having people work there who are inclined to be lazy & not be thorough or safe is a good start. having it appear as a convenient spot to smoke is a good next step. Whatever happens next, the only real job is to clean up the situation, discredit all people close to the event, then institute sweeping changes, programs, new groups to deal w/ problems.

for the TL; DR; crowd, don't worry about it, everything is fine go back to your food trough & watch more cat videos.

for the rest of us, the title says it all. This will be the opening gambit in a new war. Not the watershed moment, but a very good one for historians to hang their hats on.

Targeted actors like this on Tor is a good thing

It'll potentially help to identify weaknesses in Tor whereas previously it was government contractors doing the code review and keeping its security vulnerabilities to itself. If we have the private security entities that target malware doing the review we have a better chance and finding out about a vulnerability in Tor that may not have otherwise been exposed publicly.

It's illogical to try and shut down Tor. The problem is not Tor. It's crappy security on IoT devices and computers. Anonymity networks are already designed to hide so outlawing them doesn't stop them from existing. At best it just becomes a cat and mouse game with the anonymity networks getting better and better.

We do need to keep funding projects like Tor, i2p, and Freenet. We also need to come up with appliances and use cases for wider adoption. If only the 'bad guys' use Tor then its easy to pick out the activists, governmental adversaries, and persons being persecuted by governments for which Tor is primarily intended. I know people don't like the fact people run file sharing software over Tor or any number of other things. However the argument for it is simple. If we don't do these things then those who need these tools can more easily be identified and targeted. If a Tor user is more likely to be some innocuous user than a person the government is after that government is going to bear less fruit by targeting Tor users.

Massively misinformative article

[ezdiy]

1) No botnet actually hijacked 900k CPEs of DT, at the moment there are rougly between 10k-40k zyxel ones across the world. The outages were caused by the increased 7547 scan traffic crashing routers of other vendors.

2) Zyxel SOAP RCE probes died down rapidly past 2 weeks. There is still some traffic (wget vizxv.pw/a if you're curious, note that you need actual wget user-agent), but the botnet is relatively small at this point.

3) As for general IoT botnets using telnet, running a simple cowrie honeypot will tell you that C&C method of current largest botnet is not Tor based, but bittorrent DHT based. The codebase appears to be unrelated to mirai, too.

All of the above can be fact checked using pretty simple tools - for TR-069 exploit simply listen with netcat, for telnet/ssh bruteforce use cowrie. Botnet size can be gauged accurately by sampling scan probes (mirai codebase sends 160 probes/s).

LoLwut?

No. The internet is not crucial to life and health. And if someone makes it so, then *they* should be put to death. Srsly. 20 years after the internet becomes mainstream and suddenly you want people put to death over it? Give me a break. If it's come to this then we need to cut our dependence.

Re:LoLwut?

Haha welcome to the new Eternal September

Re: LoLwut?

Internet saves billions of government money. That money is used in Healthcare. Lives saved by the internet.

As GP said

I guess that was GP's point:

A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage

So the appliances you mention might be able to respond to "please conserve at these times" messages from the power company.
Or if the washing machine is programmed to run at 4-7am, it can let them know.

My fridge stays cool for a looong time without power, a few hours off is no problem. Unless you want some instant icecube dispenser to work or something.
But if it "knows" in advance when it should conserve power, before that it can run extra cool to bridge the gap, or say "no" to the network.

Perhaps it can make things easier for the power company to deal with supply/demand differences, reducing the need for batteries/fossil to augment renewables.
(PS: not saying all this is a good idea, that's another discussion)

More TOR nodes?

[djinn6]

Maybe the guy will turn some of those hacked devices into TOR nodes and actually do some good for the world.

Re:More TOR nodes?

Epic PR potential! I would totally support his operation if he did that. My freedom is worth more to me than their light switches and routers.

Hosts files stop this botnet

See subject - Blocking communication w/ it's C&C servers:

HARDCODED INTERNAL TO BOTNET CODE:

0.0.0.0 zugzwang.me
0.0.0.0 tr069.online
0.0.0.0 tr069.tech
0.0.0.0 tr069.support

DGA GENERATED:

0.0.0.0 vmdefmnsndoj.tech
0.0.0.0 xpknpxmywqsr.tech
0.0.0.0 lvfjcwwobycj.tech
0.0.0.0 nympompksmfx.tech
0.0.0.0 kedbuffigfjs.online
0.0.0.0 bwhrdaumwuvn.online
0.0.0.0 bpmsfckfkrpr.online
0.0.0.0 oornduuwjli.tech
0.0.0.0 qjqubpciajoc.tech
0.0.0.0 exvdaajegjur.online
0.0.0.0 poorcetnmjfc.online
0.0.0.0 vtrndmhsgada.online

* BOTNET NO LONGER USES DGA THOUGH

"the DGA feature had been removed" FROM https://www.bleepingcomputer.com/news/security/security-firms-almost-brought-down-massive-mirai-botnet/

(TOR DOMAINS != LISTED BUT CAN BE BLOCKED ONCE DETERMINED)

APK

P.S.=> For the best custom hosts file creator? APK Hosts File Engine 9.0++ SR-4 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ ... apk

Additional hosts-domains mirai uses to block

These entries in your custom hosts file also block more MIRAI botnet C&C servers (+ other communications parts):

0.0.0.0 timeserver.host
0.0.0.0 securityupdates.us
0.0.0.0 srrys.pw
0.0.0.0 l.ocalhost.host
0.0.0.0 tr069.pw
0.0.0.0 mziep.pw

* FROM - https://securelist.com/blog/incidents/76791/new-wave-of-mirai-attacking-home-routers/

APK

P.S.=> That's in addition to my original post's list of C&C servers MIRAI botnet utilizes here https://it.slashdot.org/comments.pl?sid=10009063&cid=53507971/ ... apk

They're blockable too... apk

I have them determined & blocked in my custom hosts file for ZEUS variants just as I have blocked MIRAI's current crop of C&C servers hardcoded + other networked systems it uses here https://it.slashdot.org/comments.pl?sid=10009063&cid=53507971/ & here https://it.slashdot.org/comments.pl?sid=10009063&cid=53508081/ so I am awaiting the .onion TOR domains to block once they're determined - as is, I've got this thing corralled & nullified via hosts files usage.

APK

P.S.=> Use of .onion by this "bestbuy" GOOF (anyone doing botnet crap's an a-hole imo) isn't what he says it is quoted "Try to shut down .onion 'domains' over Tor," BestBuy boasted FROM https://www.bleepingcomputer.com/news/security/security-firms-almost-brought-down-massive-mirai-botnet// BECAUSE YOU'RE CORRECT & THOSE .onion DOMAINS GET REVEALED JUST LIKE ANY OTHER C&C + OTHER NETWORKED PARTS ALWAYS DO - hosts block them easily! apk

Did not "hijack" Deutsche Telekom routers

[gweihir]

Please get at least basic facts right in stories: It crashed these routers, but it did not get in, as the vulnerability exploited was not present. A DoS vulnerability remained unfortunately, and the port the service was running on was globally reachable. Bad, but not nearly as bad as being vulnerable to "hijacking".

Re:Targeted actors like this on Tor is a good thin

[gweihir]

Indeed. Tor is not the problem here. Anybody running a bot-net can already implement command-insertion in such a way that a command can be sent to any member-note and then gets distributed. That is basically untraceable if cover-traffic is also added. It takes a tiny bit more effort in implementing this though.

An idea for tracking to identify people

[BlueCoder]

Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.

No matter what kind of encryption used you can characterize streams by various types of signature. Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery. Finally one can also always introduce lag.

So to track who is talking to any server you characterize the stream. Then through a command and control server of their own introduce various inconspicuous amounts of lag at all ISP's for all the streams that match the characterization signature. Add in a binary search and you can track any connection back to it's source in under a minute. It also can also identify all proxies within it's borders and the order they are used according to the lag propagation. Even using a neighbors WIFI will not necessarily hide you.

Re:An idea for tracking to identify people

[Agripa]

Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.

They sure have. I believe they are seizing and retaining the content as well if only with the excuse that it also contains metadata.

No matter what kind of encryption used you can characterize streams by various types of signature.

It is a good thing that nobody would duplicate the signature of an already well known and secure encryption solution which is already used for routine connections.

Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery.

This is easy to defeat at a cost in only bandwidth and latency. Completely anonymous communications are possible where every piece of metadata is recorded and the increased cost in bandwidth means that there will be orders of magnitude more metadata to analyze. This does not even require centralized infrastructure and the pieces are in place to do it right now if two endpoints want secure and anonymous communications.

Finally one can also always introduce lag.

So to track who is talking to any server you characterize the stream. Then through a command and control server of their own introduce various inconspicuous amounts of lag at all ISP's for all the streams that match the characterization signature. Add in a binary search and you can track any connection back to it's source in under a minute. It also can also identify all proxies within it's borders and the order they are used according to the lag propagation. Even using a neighbors WIFI will not necessarily hide you.

That is clever but only works against low latency real time connections.