Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Year After Mirai: DVR Torture Chamber Test Shows Two Minutes Between Exploits (sans.edu)

Posted by BeauHD on from the mildy-disturbing dept.

UnderAttack writes: Over two days, the Internet Storm Center connected a default configured DVR to the internet, and rebooted it every 5 minutes in order to allow as many bots as possible to infect it. They detected about one successful attack (using the correct password xc3511) every 2 minutes. Most of the attackers were well known vulnerable devices. A year later, what used to be known as the "Mirai" botnet has branched out into many different variants. But it looks like much hyped "destructive" variants like Brickerbot had little or no impact.

36 comments

  1. Honey pot? by 0100010001010011 · · Score: 2

    Wouldn't it have just been simpler to create a honey pot that answered to the correct password?

    1. Re:Honey pot? by Anonymous Coward · · Score: 0

      Wouldn't it have just been simpler to create a honey pot that answered to the correct password?

      It would probably have been simpler to set up a honey pot. But making a 100% authentic might not be so simple, and there are many known methods to detect honey pots. Probably several unknown methods as well.

      By exposing a real device, there is better chance that any anti-honeypot code in the malware will not be triggered.

    2. Re:Honey pot? by duke_cheetah2003 · · Score: 4, Interesting

      Wouldn't it have just been simpler to create a honey pot that answered to the correct password?

      Malware authors are getting increasingly good at detecting honey pot environments. Using the real deal is a good call, IMHO.

    3. Re:Honey pot? by Anonymous Coward · · Score: 0

      Not Really.

      One of my websites kept being visited by a botnet, so I put a fake php file that responds to the botnet like it expects, but throws away the payload so it slowly throws away data. It probably doesn't make a dent in the botnet. However unless a human actually looks at progress of a bot net, they wouldn't know what data has been discarded, thus making their bruteforce/DDoS attacks have swiss cheese holes in their progress.

      The ideal thing to do with a honeypot is to log what the payload is and analyze it to figure out what the bot net is trying to do. But in most cases these bots aren't doing anything intelligent, they are just trying to login to every IP address with whatever it has in it's dictionary. It's not bruteforcing anything, especially since that triggers throttling mechanisms to block the IP address, so the C&C machines actually only send out one try per IP address and just cycles through all it's machines and VPN/Proxies, regardless if it works. If machines have hard coded passwords, nothing short of a firmware update will fix it, but rebooting the IOT will typically just have it re-infected rather than throwing off the botnet.

      The Brickerbot has the right idea, patch the exploit, and if it doesn't work kill the machine to save the internet from it. You never want to destroy the data on the device, just make it kill it's network stack.

  2. PhD? by msauve · · Score: 3, Informative

    DVR doesn't mean what he thinks it means. He's talking about IP cameras. He says it's an "Anrai" in one place, an "Anrain" in another, Google says it's probably an "Anran."

    He claims "Traffic from the DVR outbound was blocked by the firewall to prevent it from infecting other systems." But, of course, if that were true then the camera wouldn't be able to create a telnet session.

    This, from someone claiming to be "Ph.D., Dean of Research, SANS Technology Institute?" A quick search says "The SANS Technology Institute is regionally accredited by the Middle States Commission on Higher Education...", which is itself a DBA for a corporation created in 2013.

    OK, so they're the successor to ITT Tech, but without the reputation.

    --
    "National Security is the chief cause of national insecurity." - Celine's First Law
    1. Re:PhD? by Anonymous Coward · · Score: 0

      Sure, because they simply couldn't drop all packets to any ip that isn't a camera. Btw, do cameras need to open telnet sessions to the "DVR"? What for?

    2. Re:PhD? by J053 · · Score: 4, Informative

      OK, the drawing accompanying the report could have used something other than a "camera" icon for the DVR under test, and yes, it was probably an "Anran" DVR. Having said that, Dr. Ullrich has a PhD in physics from SUNY Albany, and the SANS Institute has been a well-respected source of systems administration and network security education since the mid 90s, at least.

      I really don't understand why GP felt the need to throw shade on the producer of the report, rather than address the findings themselves, but whatever.

    3. Re:PhD? by 93+Escort+Wagon · · Score: 1

      You're not familiar with SANS? I'd expect any sysadmin or syasadmin-wannabe would know of them...

      --
      #DeleteChrome
    4. Re:PhD? by msauve · · Score: 2

      Whoosh.

      It's a very short article, based on a very simplistic premise, which produced nothing new. OTOH, it was a marketing opportunity which somehow counts as "News for Nerds."

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    5. Re:PhD? by Anonymous Coward · · Score: 1

      He claims "Traffic from the DVR outbound was blocked by the firewall to prevent it from infecting other systems." But, of course, if that were true then the camera wouldn't be able to create a telnet session.

      While you were busy pontificating they invented these things called Stateful Firewalls. It's really simple to block outbound TCP connections from devices while allowing incoming TCP connections that can establish and maintain sessions. i.e.: it blocks outbound "SYN" packets while still allowing "SYN-ACK", "FIN", "FIN-ACK" and "ACK" packets.

    6. Re:PhD? by msauve · · Score: 2

      "You're not familiar with SANS? I'd expect any sysadmin or syasadmin-wannabe who thinks a Microsoft certification is meaningful would know of them..."

      FTFY.

      --
      "National Security is the chief cause of national insecurity." - Celine's First Law
    7. Re:PhD? by Anonymous Coward · · Score: 1

      But, of course, if that were true then the camera wouldn't be able to create a telnet session.

      why not?
      He is saying he is blocking outbound that is initiated from inside. So the DVR can't actively create connections/sessions to infect other machines.

      However, when a host from outside tries to establish a connection, firewall lets that through, when dvr responds, it is responding to an existing connection (initiated from outside) firewall will permit that cause the block rule only applies to session starting from inside.

    8. Re: PhD? by Anonymous Coward · · Score: 0

      To communicate....duh

    9. Re:PhD? by AmiMoJo · · Score: 1

      The cameras accept incoming telnet connections, so that they can be remotely controlled. Even basic firewalls can allow outgoing packets for a TCP connection that was established from the outside, although usually it's the other way around.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    10. Re:PhD? by Anonymous Coward · · Score: 0

      Um.. No. I understand that you don't who SANS is, and that is fine. But your assumptions that they are in any way the caliber of ITT Tech just makes you sound like an idiot.

    11. Re:PhD? by Anonymous Coward · · Score: 0

      why would they allow fin? finack should be ok but fin on its own is just bs.Another q.: what do they do to psh? Do they have a rule for that?

    12. Re:PhD? by Anonymous Coward · · Score: 0

      DVR means digital video recorder. Just because you assume that DVR's ony record the cable signal coming into it doesnt mean that you are right..

    13. Re:PhD? by sabri · · Score: 1

      I really don't understand why GP felt the need to throw shade on the producer of the report,

      Because for SANS Institute is a for-profit private organization with self-study accreditation. According to their accreditation they have 294 enrollments (http://www.msche.org/institutions_view.asp?idinstitution=595), and have a campus in Courtyard by Marriott Madison East, Madison, WI hotel.

      Really?

      And not to forget, they charge $47,000 for an online degree program. I completed my MSc for $9,000, also through distance learning.

      --
      I'm not a complete idiot... Some parts are missing.
  3. Mandatory XKCD by Anonymous Coward · · Score: 3, Funny

    The Virus Aquarium
    https://xkcd.com/350/

    1. Re: Mandatory XKCD by Jesus+H+Rolle · · Score: 1

      I've thought about doing this, but with fish.

  4. Wonder how bad receivers are... by SuperKendall · · Score: 1

    I've held off getting any internet connected devices (besides computers of course) for a long time, but I did break down and get a receiver that is connected and gets firmware updates from time to time...

    I should really someday look for traffic coming from the thing but I've not bothered so far... the only condolence I have is hoping that it has limited throughput.

    --
    "There is more worth loving than we have strength to love." - Brian Jay Stanley
    1. Re:Wonder how bad receivers are... by Anonymous Coward · · Score: 0

      (1) Why connect a receiver at all. It if doesn't work out of the box it's already failed.

      (2) You connect computers and now a receiver and you don't bother to look at the network traffic?

      (3) It's "consolation" not "condolence"

    2. Re:Wonder how bad receivers are... by gumbi+west · · Score: 1

      (1) Why connect a receiver at all. It if doesn't work out of the box it's already failed.

      I'm just going to guess here, but I believe there are these things called audio files that you can download and listen to.

    3. Re:Wonder how bad receivers are... by gumbi+west · · Score: 1

      I might have thought the same thing, but i also have phones and printers connected to my router. I also wanted some lights but held off.

    4. Re:Wonder how bad receivers are... by gumbi+west · · Score: 1

      Oh, and a NAS

  5. Re:What by Ol+Olsoc · · Score: 1

    No impact? Didn't Brickerbot take down an ISP?

    This story was brought to us by the International Internet of Things Manufacturers happy fun consortium.

    Sally forth good citizens, nothing to fear of these aids to humanity. Purchase with great impunity!

    --
    The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
  6. Re:What by Anonymous Coward · · Score: 0

    I think by "no impact" he meant that not enough IoT manufacturers and owners have done anything significant to fix the issue.

  7. What about NATs? by Anonymous Coward · · Score: 0

    DVR newbie here. Aren't these devices almost always behind a NAT, performing only outgoing connections?
    How do they get infected?

    1. Re:What about NATs? by ledow · · Score: 3, Interesting

      You know when things say "just port-forward" and people just do that?

      There ya go.

      One of the reasons that I look upon any port-forward as incredibly suspicious, professionally, and only like doing it if it goes via a device capable of connection-limiting, rate-limiting and performing intrusion-protection and sanitisation for the exact protocol in question.

      "Hey, just bash a hole in your house so the postman can deliver your parcels. Hey, just bash another hole so the gas man can read your meter. Hey, just bash another hole so your lightbulbs can talk out."... at the point it starts sounding silly, that's the point it already is silly.

    2. Re:What about NATs? by AmiMoJo · · Score: 4, Insightful

      UPNP: Hay, just let anyone who wants access to your house bash a hole in the wall!

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    3. Re:What about NATs? by ledow · · Score: 1

      Precisely.

    4. Re:What about NATs? by Anonymous Coward · · Score: 0

      But what else are you to do? You want to watch cable tv on your phone while out at wife doctor appointment, you need a vpn to your home network so the app gets all the channels they block if you are not on your home network. So you punch a hole for the ports.

      Same to vnc to get some files work done.

  8. man of God by Anonymous Coward · · Score: 0

    Hi My name is johan santan,am from upper island cove , Canada.. I want to use this opportunity to thank God for using this Great prophet to solve my marriage problem. This Great Prophet of God brought my husband back to me. 3 years ago, i and my husband has been into one quarrel or the other until he finally left me for one lady. I felt my life was over and my kids thought they would never see their father again. I tried to be strong just for the kids but i could not control the pains that was tormenting my heart. My heart was filled with sorrows and pains, because i was really in love with my husband. Every day and night i think of him and always wish he would come back to me. Until one day i melt a good friend of mine that was once in my situation, but her problem was different a little bite, her ex-boyfriend who she had an unwanted pregnancy for refused to take responsibility and dumped her. She told me that mine issue was a minor case and that i shouldn't worry about it at all.So, i asked her what was the solution to my problems and she gave me this Great Prophet of God phone number and his email address. I was doubting if this Great Prophet of God could actually solve my problem. So, I contacted this Great Prophet of God and he told me what to do and i did it. He told me to wait for just four days and that my husband will come crawling on his kneels just for forgiveness. So, I faithfully did what this Great Prophet of God asked me to do and for sure after four days i heard a knock on the door, in a great surprise i saw him on his kneels and i was speechless, when he saw me, all he did was crying and asking me for forgiveness,from that day, all the pains and sorrows in my heart flew away, since then i and my husband and our lovely kids are happy. That why i want to say .) ig thank you to God for using Prophet ikehedu .to solve my marriage problem. This Great Prophet of God made me to understand that theirs no problem on earth that does not have solution.So, if you are having same problem, any problem that is similar, i will advise you to a contact This Great Prophet of God straight at prophetikehedu@gmail.com And his facebook contact is this https://www.facebook.com/profile.php?id=100014772066529)
           

  9. Toyota Mirai ?? by Anonymous Coward · · Score: 0

    Did anybody else dee the headline and think of the Toyota Mirai?
    https://ssl.toyota.com/mirai/fcv.html