Massive Mirai Botnet Hides Its Control Servers On Tor

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

Punishable by death

[JustAnotherOldGuy]

This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.

When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?

Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

Re:Punishable by death

[houghi]

If two dickheads can do it, the problem is not the dickheads. If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety. You say they are not allowed to put lead in their paint. You tell them to put safety belts in their cars. You see that they put safety measures in online devices.

Instead you allow the agency that has knowledge of problems to not solve the issue they find, but instead keep them hidden and not care if others use them,

The issue IS the guys funded at state level. They are called the NSA. And they ARE involved. And they wouldn't want it any other way. Killing two dickheads does not change that. Killing all the dickheads does not change that.

So yes, it DOES sound outrageous, because they are just dickheads. Get the frogs that allow this to happen. They are HAPPY if all you do is kill of some dickheads, because that means they can keep doing whjat they have been doing all along, they that they can fuck up up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general. It will just not be their countries, but the others country, which ever that may be.

Re:Punishable by death

[bug1]

When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.

crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

Maybe try a technical solution to a technical problem, like not having publicly accessible Internet for critical infrastructure.

Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

Yes it does, your a crazy extremist

Re:Time to outlaw the IoT

[JaredOfEuropa]

So we ban routers? After all a big chunk of that botnet consisted of hacked DT routers, and those are "things" too. Instead of outlawing the IoT, we should refrain from casually using the term IoT. To some it means sensor networks, to some it means autonomous machine to machine interactions, to some it means connected smart home devices like toasters, light bulbs and IP cameras, but others would exclude the cameras from that list.

So when another bone-shatteringly ignorant reporter mentions "botnet of IoT devices", smack him around the head with a large trout until he mentions which devices were actually compromised. Types and brands of devices, devices running a certain kind of OS or firmware, or using a specific iOt platform / board / chip. And if you tell us that the IoT is a stupid idea, please enlighten us and let us know which "things" should be kept off the internet.

Improve consumer firewalls

[davidwr]

It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.

If you want to allow your thermostat to talk to a specific external host then punch a very narrow hole in the firewall to allow it.

Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.

This will require industry cooperation:
* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
* ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off. If you use one of these new routers, it's much less likely that bad things will come out of your network."

Typical precursor to heavy-handed legislation

[golodh]

It's interesting to see history repeat itself (again). Years ago you had some very vocal pimply-faced youths who jeered about how they were illegally distributing copyrighted works (software, music, video, books. Stupid companies! No copyright protection, lame copyright protection ... easy meat !

Result ? Among others the DMCA. Various individuals were sued into bankruptcy by the music industry, just to show people what the risks were (remember single mother Jammie Thomas ? See: https://en.wikipedia.org/wiki/...) . Some were driven to suicide (see https://en.wikipedia.org/wiki/... ).

What shouty nerds tend to forget is that (like it or not) they are part of a society that can (and does) sets certain limits on their behaviour. Which can be enforced. With or without their consent.

Tor routers can be a force for the good (avoiding censorship, protecting human rights activists, protecting investigative journalists) but they really _can_ be eradicated, given sufficient incentive.

Just outlaw the servers, force ISP's to scan all Internet traffic for TOR servers, log any connections and isolate / report them as soon as they're detected. Send a SWAT team to visit anyone who connects to a TOR server to seize their computers pending investigation. Set penalties sufficiently high to pay for all that and publicly sue a few tens of offenders into bankruptcy.

Should cow 99% of all TOR users, right? The 1% who aren't cowed are probably up to no good anyway.

A bit like China. Not pretty, and people won't like it, but it really can be enforced.

The detection and tracking part is already in place. Just consider the raft of deep-packet inspection routers that has been installed already (see https://en.wikipedia.org/wiki/... ).

I'm not saying I'd like to see something like that (I wouldn't). All I'm saying is that stupid and venal abusers like this a**hole botnet operator make it that much more likely that something like that will occur. Whether we realise it or not. To the detriment of us all.

Re:Time to outlaw the IoT

[dcollins117]

The "Internet of Things" was a stupid idea, so why not just ban it once and for all?

Overall, I think the idea is sound, although the lighting example you gave is a silly consequence of marketing gone awry.

A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage and the consumer could operate their devices when power was cheapest.

Unfortunately, the implementation of these devices so far has been horribly botched. Anything network-facing should be build with security in mind first, and functionality to follow. That's not what happens. Marketing sells features, not bugs, so what gets implemented is the bare minimum functionality that was sold, and security be damned.

Re:Time to outlaw the IoT

[ShanghaiBill]

Why not ban crappy routers?

Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.

Massively misinformative article

[ezdiy]

1) No botnet actually hijacked 900k CPEs of DT, at the moment there are rougly between 10k-40k zyxel ones across the world. The outages were caused by the increased 7547 scan traffic crashing routers of other vendors.

2) Zyxel SOAP RCE probes died down rapidly past 2 weeks. There is still some traffic (wget vizxv.pw/a if you're curious, note that you need actual wget user-agent), but the botnet is relatively small at this point.

3) As for general IoT botnets using telnet, running a simple cowrie honeypot will tell you that C&C method of current largest botnet is not Tor based, but bittorrent DHT based. The codebase appears to be unrelated to mirai, too.

All of the above can be fact checked using pretty simple tools - for TR-069 exploit simply listen with netcat, for telnet/ssh bruteforce use cowrie. Botnet size can be gauged accurately by sampling scan probes (mirai codebase sends 160 probes/s).

Re:Time to outlaw the IoT

[thegarbz]

We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.

Er no. No it doesn't. It barely works. Fine is not a metric anyone in the energy providing industry would use right now.