2 Million IoT Devices Enslaved By Fast-Growing BotNet

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology.

The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.
Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."

Botnet mining

[BeerCat]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

Re:Botnet mining

[olsmeister]

How long until manufacturers build in cryptocurrency mining into their stock firmware to use that extra processing power, phoning home periodically to 'recieve updates'?

Re:Botnet mining

[Opportunist]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Re:Botnet mining

[EvilSS]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

These devices are being used as part of a DDOS as a service scheme. The botnet owners act as the wholesaler, and people setup sites to sell time and bandwidth from the botnet provider to individuals. It's a huge problem in the gaming community due to cheap ass gaming companies using P2P matchmaking in multiplayer (vs using dedicated servers). Players will pay a few bucks and knock off their opponents in matches, or target streamers on Twitch, Beam, Youtube Gamine, etc.

Re:Botnet mining

P2P is the ideal way to play multiplayer games, particularly highly ping-sensitive ones. A server in the middle acting as a relay which may in cases not even be in the same hemisphere as the players is not the answer to anyone's problems.

Re:Botnet mining

[sysrammer]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Quoted to highlight the benefits of Enlightened Self-Interest.

Re: Botnet mining

[Monster_user]

P2P is good for smaller games, and unranked matches. Especially when it is friends chillin'.

Dedicated servers are superior for larger games, especially MMOs. As well as ranked games where cheating actually "matters".

Re:Botnet mining

[waTeim]

It seems necessary then to deal with those same handoffs (but even more latency inducing) in some novel way.

Re:Botnet mining

[EvilSS]

As long as you have a decent regional distribution of servers (which most big games could easily do) it evens out network lag between users. P2P will almost always benefit the high-latency users due to how most games handle lag compensation, and it makes it more likely that there will be a large delta in latency to the host between players. I play plenty of games that do both and P2P is always frustrating when dealing with high-ping players.

It's also more open to abuse. It's always fun when a player rage-quits a game they are hosting and takes the entire match with it because the game fails to host-migrate. Plus, as discussed, it opens you up network abuse. f

Re:Botnet mining

How long before pacemakers, insulin infusion pumps and other medical devices have mining built-in as a means of paying licensing fees for said devices?

I just hope they learn from past mistakes....

And ensure that devices only have signed firmware if the end-user controls the signing key and resetting the signing key when necessary.

A secondary would be mandated open source build frameworks to ensure end users can rebuild the firmware themselves with patches in case the vendor does not.

The current situation is bad, but the remedies I forsee them taking will only end up making things worse for everybody.

That said, it is really time for an OpenWRT/LEDE for IP Cameras. The older ones had 16-32 megs of ram, plus a few megs of Flash, and the newer ones have at least 256 megs of RAM and 16+ megs of flash. Building new firmware for them should be straightforward as long as the proprietary opcodes for the MPEG/JPEG/h264 encoders are documented, so that open source code can be used top to bottom. As it is most of the kernel level exploits could be patched, although they would need backporting to 2.6 series kernels, since that is *STILL* what most of the chinese IP cameras are running. And not even the last update either. .2x-.3x series kernels!

Re:I just hope they learn from past mistakes....

[Opportunist]

Why exactly should they learn anything?

Did the customer buy it? Check.
Did he return it? Nope.

What exactly is the problem the manufacturer could possible have?

Re: I just hope they learn from past mistakes....

[Monster_user]

The device made it beyond the 15 day return period before being exploited. And who is going to notice this problem before the 1-year warranty runs out that would buy such a device and run it on an unsecured network anyway.

Good

[NicknameUnavailable]

Few things have irritated me as much as the mere concept of IoT. The sooner it dies the less spyware we will have.

Re:Good

[DCFusor]

Agreed. I cared enough to do something about it. Created a LAN of things - no internet presence at all, for myself. I only need automation for my place, not some data-monetizer (or worse, rent seeker or just go out of business) inserted into my stream. And then there's security.
.
But first, imagine a world where one of these jerks comes along with "and now you'll pay rent or I'll stop making your home work".
Abandonware is bad enough as is.
Signed code won't mean diddly here. If there's a way to make a camera send a stream someplace, which has to be for it to serve its function, any hack can send that stream elsewhere - the code for pushing the stream has to exist even in the signed version. And if there's any other hack possible, even allowing the user to retain the default pword and so on - then signing doesn't really do squat, now does it?

Re: Good

So you want to get rid of the internet and your way of helping that along is by paying an ISP and using said internet

Re: Good

[NicknameUnavailable]

The internet isn't bad, the IoT is bad. The distinction being that the IoT consists of many thousands of distinct devices made mostly by hacks who don't know how to program which all independently try to call home for various purposes (usually spying on your with whatever sensors they have available for marketing and similar purposes) while simultaneously opening backdoors into your network by registering as a client to your firewall while making outbound HTTP requests to get data out and commands in. The overwhelming majority or IoT devices are parts of botnets because of the shit security which went into them in addition to their inherent spyware intention, which the unhacked ones also play a part in. The IoT is interesting as a concept but when implemented by a bunch of companies being paid for instance to develop a CCTV camera or smoke alarm or thermostat and not highly skilled in digital security is just an increased attack surface, but again even the ones highly skilled in security just use it for spyware (think to yourself: do your NEST thermostat and smoke alarm really need fucking cameras to register hand gestures - do they really need hand gestures, or is that just Google's way of tricking morons into sticking a camera in their living room?

Re:Good

[Opportunist]

Why exactly would it die?

Manufacturers can sell it and are not legally responsible for their crapware.
People are dumb and buy it, not understanding what's going on.
Damage is done to someone who cannot influence buying/selling of those things.

So what reason would you see for this to cease?

Re: Good

[Monster_user]

The price of progress.

Otherwise, are we going to put a stop to innovation? These IoT things are experiments, up-starts, looking for something we didn't know we needed which will improve productivity and efficiency exponentially. They typically don't have the budgets in their projects to do IoT the right way.

Vulnerabilities in IoT is a big problem, but is it a big enough problem to allocate resources to fix?

Re:Good

Manufacturers can sell it and are not legally responsible for their crapware.

Not actually a true statement.

Re: Good

[NicknameUnavailable]

It's not innovation, it's spyware. There's zero reason for a thermostat or fire alarm to recognize hand and voice gestures - that's just the excuse Google gives so they can bundle a camera and microphone into it with an always-on wi-fi connection via the GSM network. But hey, GSM is totally free and not enormously expensive - oh wait, a camera in all your rooms provides data which pays for the bill.

Re: Good

[Monster_user]

Perhaps not the fire alarm. Such critical devices as a fire alarm should be isolated and simple, but effective. An IoT fire alarm is the worst thing ever.

The thermostat is a great asset. I've been considering something like that myself, once I get a central AC unit installed.

Also, its one step closer to the USS Enterprise D and voice activated everything. Which is both cool and scary at the same time. Star Trek TNG: Contagion is a good IoT episode,...

Re: Good

[Monster_user]

Actually, under the circumstances, regarding what the discussion is about, yeah, that is a true statement.

At leadt in the USA.

Re:Good

[Opportunist]

Could you show a single case where someone managed to tack the damage done onto the culprit, i.e. the idiots making the electronic garbage?

The sooner we get rid...

...of this so called "Internet" the better off we will be.

Re:The sooner we get rid...

[DontBeAMoran]

I think the worst part of the internet is that any moron can post his opinion online.

Re:The sooner we get rid...

[Opportunist]

Opinions don't hurt. Opinions are great, I needn't share it, and instead I can point out to some idiot why his opinion is crap.

The worst part is that anyone can hook his insecure, unpatched garbage onto the net and people are no longer connected via dialup with those infrastructural systems that "count" having multiple gigabits of bandwidth available to them, making the impact an idiot with a botnet sheep running 24/7 at his home ("because those torrents take forever, broadband MY ASS!!!!111!1!") insignificant.

These idiots that now have 20, 50, 100 and more mbit available to them CAN and DO pose a threat to key infrastructure.

That is the worst part of the internet right now.

KRACK?

How has KRACK played a part in this? Are there botnet wardriving going on? (Drive along and enslave wifi devices that are KRACK vulnerable.)

Re: KRACK?

Pointless, router are reachable on the internet.

Re:KRACK?

[viperidaenz]

krack doesn't "enslave" wifi devices. It allows the encryption to be broken.

I would take a guess and say it hasn't, at all.

doesn't affect me

Doesn't affect me, I don't care.

Re:doesn't affect me

Same here. Just checked. All of my self design electronics are doing fine. I thought this was a website for nerds.

Re:doesn't affect me

[fisted]

Same here, not affected. All my IoT thingymajingies still work fine, including the house alarm and door locks.

IoT botnets will be used to hack the next election

The Trump campaign and the Russians will definitely be using these IoT botnets to meddle in the next election.

I've never used...

...the Internet, Hell I don't even know where to find it!

Re:I've never used...

"Oh, they have the internet on computers now."

That's wonderful, but on a more important topic...

[DivineKnight]

That's wonderful, but on a more important topic, has Microsoft gotten around to fixing their bootloader for Windows 10 IoT, such that we can (God please) finally boot off of a USB hard drive (read: SSD) on something like the Raspberry Pi 3 (which just needs a quick config change to make happen, and is already supported by many linux distros), or are we still going to be stuck with read speeds that an ATA-100 hard drive (not even ATA-133...) could beat?

Powerrrrrr!!!

[tsa]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

Re:Powerrrrrr!!!

[Opportunist]

Not strange at all, the chips are just cheaper.

I kid you not. You can currently get chips with more features and faster processing speed cheaper than "older" chips with less. Mostly because the price of chips is mostly fixed costs and it costs about the same to make either of them, so making the more powerful one that outdoes or at least is on par with the competition's chip makes sense, else people will buy theirs and not ours.

Re:Powerrrrrr!!!

[viperidaenz]

Not really.

Re:Powerrrrrr!!!

[tlhIngan]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

You can thank smartphones for that, which have driven down the cost of embedded processors significantly.

When I started, a 200MHz StrongARM processor was considered high end, and 400MHz processors were on the way. If you're lucky, they had 32MB of RAM. At the time, the average desktop was 500-800MHz with 128-512MB of RAM. You wouldn't dare run desktop applications on the embedded processor (even though they ran Linux and could) - it was just too painful.

Even when the iPhone came out, it ran a 400MHz processor with 128MB of RAM. But just 10 years later, we've got 2.5GHz processors with 4+GB of RAM on our phones. And we're pushing processing power that is starting to meet or exceed what low-end PCs are capable of.

Likewise, the embedded market has followed the same trend - if you want, those 200MHz processors are still available. But you can get a multi-core multi-GHz processor for basically the same price.

It is time to start fining the culprits

[QuietLagoon]

Anyone who enables an insecure IoT device, and that device is found to be part of a botnet should have to pay a fine.

Re:It is time to start fining the culprits

What if it's a vulnerability which is only privately known. How can you patch something for which there is no patch?

Are we going to clog up the courts with this nonsense? How about regulations that require all internet connected devices to meet certain security guidelines and standards. The company that fails it would not be allowed to release their product for sale. Sort of like an Underwriters Lab for networked devices. It wouldn't catch everything but it would prevent cheap foreign electronics that have flooded the market from being sold without that certification.

Re:It is time to start fining the culprits

Sheesh, what an elitist fuckwit.

So come on then brains, tell all of us ignorant consumers how we're supposed to check with 100% certainty that a network enabled device is secure ?
  And what do you define as a 'device' ?
Does that go as far as regular desktop/laptop computers? If not, why do they get a special exemption from being allowed to be part of a botnet ?

Re:It is time to start fining the culprits

So come on then brains, tell all of us ignorant consumers how we're supposed to check with 100% certainty that a network enabled device is secure ?

Step 1. Don't be ignorant
Step 2. Continue not being ignorant

Re: It is time to start fining the culprits

[Monster_user]

I pay the device manufacturer, Maytag for instance, to not be ignorant for me. Its called delegation.

Time is money. If I'm buying an IoT device, I'm buying it to reduce the amount of time I'm having to spend micromanaging it.

Re: It is time to start fining the culprits

[fisted]

The device manufacturers know they get away with it, so at the end of the day, you're still SOL.

Re:It is time to start fining the culprits

[QuietLagoon]

There are many what if's. But instead of sitting there throwing criticisms, what do you think needs to be done to resolve the lack of secuirty of IoT devices?

About time

At last, some reinforcements. We've been working all hours trying to keep up. Every time those damn Slashdot editors publish another Russian spying story it means more compulsory overtime, weekends and vacations cancelled, they locked us in last week. I haven't seen my mother for two months. Then of course any piece about Twitter or Facebook or race or the police or any topic remotely political anywhere, we're expected to jump in there too.

They are hiring more people but the building's packed already with 3 shifts and frankly the new recruits' English skills are very poor, mangling the syntax, creating hideous Frankenstein idioms and dropping articles all over the place. Yes of course it takes all sorts to break an omelette, from the undisguised Muscovite proudly defending his motherland in broken English to the fluent future sleeper agent but standards have slipped and it's terribly embarrassing for the few professionals left who take pride in their work. We don't know who's on our side any more - yesterday I spent 3 hours in a flame war with a Californian Democrat who turned out to be one of the newbies sitting across the room - I wouldn't have known except she jumped up and started swearing about something I'd just written. It's total chaos, yes OK that's what we want but not in our own offices. if it wasn't for the free vodka and pizzas, I'd have been out of here months ago. Well that and I don't know anyone influential and can't afford an introductory fee for a better job. I can't say much more, the last person to speak up was posted to troll the Hello! website. Pass the bottle, Ksenia.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Almost like Toy Story

[bobstreo]

The Cloud is My Master.

So does this mean I need a firewall in front of my cable modem?

...and linux Servers

[gravewax]

I noticed the summary conveniently left of the very last item in the list of the article of affected devices "and Linux servers".

Re:...and linux Servers

[HiThere]

The "and Linux servers" referred to devices being attacked, not to ones that were part of the bot-net.

I'm going to give you credit for good intentions, at the cost of considering that you lack reading comprehension.

Re:...and linux Servers

The Linux servers ARE part of the botnet, they are using unpatched servers as well.

Re:...and linux Servers

perhaps you should read a little more than just the badly written article then as plenty of Linux machines are being affected.

Re:...and linux Servers

So why then did they include MicroTik, TP-Link, and Synology? either they should not be in the summary or Linux servers should. seems a little unlikely that whoever put the summary together "accidentally" made that error.

Re:...and linux Servers

[HiThere]

I'm sure they are. There wouldn't be much purpose in attacking them if there weren't some way to use them...at least some of them. Some systems aren't patched and kept up to date, and those frequently have known vulnerabilities. But that's not what the article is about.

Re:That's wonderful, but on a more important topic

yeah obviously far more important that a minor feature in windows is supported than a rampant Linux exploit is put to an end.

monetize

[PopeRatzo]

This explains why my thermostat is now mining Bitcoin.

Re:monetize

[Opportunist]

Lucky you. Mine just went to 100F and demands 2 Bitcoins to set it back to normal levels.

Re:monetize

[h33t+l4x0r]

That's nothing. Mine's been posting fake news stories to Facebook since last year.

Re:monetize

[fisted]

T_SET 68F T_MEAS 67.5F ALL SYSTEMS NOMINAL PLEASE MOVE ALONG NOTHING TO SEE HERE FELLOW HUMANS

o o o o o o o o o o o o o o o o o o o o o o o o o o o

It's not all IoT?

I couldn't agree more but when I see home router in there, NAS (i.e. file server) I think that's regular internet there, not just IoT.
I had a router and file servers in 2001.

they were two Windows 98 and one XP desktop. I kid you not! I played full screen networked DOS games, so IPX/SPX, on the router. Albeit the file shares were not internet accessible and I didn't know of ssh/sftp back then.
The router ran IE5 and Winamp fine too. It had 40MB RAM.

Re: It's not all IoT?

[Monster_user]

No its not all IoT. IoT devices just are less likely to be maintained by the manufacturer.

With a NAS or router, the response has been to blame the user. They should either patch the firmware, or switch to a manufacturer which supports the product after the sale.

With IoT devices, there is little to do but pine for the good old days when nerds wrote their own firmware, and the commoners new nothing of technology. And wait for the IoT zombie botnets to attack a high enough value target so as to get something done about the issue.

Either we charge fines for devices connected to the internet with outdated firmware, operating systems, or security software, or we fine manufacturers who fail to deploy fixes in a specified amount of time regardless of lost functionality to the device.

Re: That's wonderful, but on a more important topi

How the hell is that more important?

Re: That's wonderful, but on a more important topi

[Monster_user]

Tomaeto, Tomahtoe.

Make Raspberry Pi's easy to deploy with Windows 10, and you might just solve your IoT problem. Depending on the W10 implementation. Maybe go with Azure AD?

Rename IOT to IDIOT

[knorthern+knight]

Insecurely Designed Internet Of Things

Block its components via hosts

0.0.0.0 cbk99.com
0.0.0.0 bbk80.com
0.0.0.0 d.hl852.com
0.0.0.0 e.hl852.com
0.0.0.0 f.hl852.com
0.0.0.0 hl852.com

* Other elements of it can be blocked by firewalls, data is all from source article http://blog.netlab.360.com/iot_reaper-a-rappid-spreading-new-iot-botnet-en/

APK

P.S.=> For further added speed, security, reliability & anonymity online vs. this &+ other threats-> APK Hosts File Engine 9.0++ SR-7 32/64-bit https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22APK+Hosts+File+Engine%22+and+%22start64%22&btnG=Google+Search&gbv=1/ - accept NO substtitutes... apk

Re: That's wonderful, but on a more important topi

[DivineKnight]

Uhh, let's see here...Botnets are as common as grass, and nothing to freak out about. If you've been even glancing at IT trade mags for the past several years, you already know how to deal with the ensuing DDOS attacks. There are even services, mentioned right here on /., that proudly advertise that they won't boot you if you are the target of the DDOS attack, because they know now how to handle them, with ease.

So at best, this is more of a last mile problem: the owners of said devices are likely to have important identity information stolen from them, and, God forbid, a company using such insecure devices on their network (and not staying on top of updates / security notices)...well, we have a phrase for people like that -> "trusting in the wind."

But if we look at this post more intelligently, as a likely plant to generate some FUD, or to make some tech stocks sink, well, that makes more sense, doesn't it?