2 Million IoT Devices Enslaved By Fast-Growing BotNet

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology.

The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.
Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."

Botnet mining

[BeerCat]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

Re:Botnet mining

[olsmeister]

How long until manufacturers build in cryptocurrency mining into their stock firmware to use that extra processing power, phoning home periodically to 'recieve updates'?

Re:Botnet mining

[Opportunist]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Re:Botnet mining

[EvilSS]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

These devices are being used as part of a DDOS as a service scheme. The botnet owners act as the wholesaler, and people setup sites to sell time and bandwidth from the botnet provider to individuals. It's a huge problem in the gaming community due to cheap ass gaming companies using P2P matchmaking in multiplayer (vs using dedicated servers). Players will pay a few bucks and knock off their opponents in matches, or target streamers on Twitch, Beam, Youtube Gamine, etc.

Re:Botnet mining

[sysrammer]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Quoted to highlight the benefits of Enlightened Self-Interest.

Re: Botnet mining

[Monster_user]

P2P is good for smaller games, and unranked matches. Especially when it is friends chillin'.

Dedicated servers are superior for larger games, especially MMOs. As well as ranked games where cheating actually "matters".

Re:Botnet mining

[waTeim]

It seems necessary then to deal with those same handoffs (but even more latency inducing) in some novel way.

Re:Botnet mining

[EvilSS]

As long as you have a decent regional distribution of servers (which most big games could easily do) it evens out network lag between users. P2P will almost always benefit the high-latency users due to how most games handle lag compensation, and it makes it more likely that there will be a large delta in latency to the host between players. I play plenty of games that do both and P2P is always frustrating when dealing with high-ping players.

It's also more open to abuse. It's always fun when a player rage-quits a game they are hosting and takes the entire match with it because the game fails to host-migrate. Plus, as discussed, it opens you up network abuse. f

Good

[NicknameUnavailable]

Few things have irritated me as much as the mere concept of IoT. The sooner it dies the less spyware we will have.

Re:Good

[DCFusor]

Agreed. I cared enough to do something about it. Created a LAN of things - no internet presence at all, for myself. I only need automation for my place, not some data-monetizer (or worse, rent seeker or just go out of business) inserted into my stream. And then there's security.
.
But first, imagine a world where one of these jerks comes along with "and now you'll pay rent or I'll stop making your home work".
Abandonware is bad enough as is.
Signed code won't mean diddly here. If there's a way to make a camera send a stream someplace, which has to be for it to serve its function, any hack can send that stream elsewhere - the code for pushing the stream has to exist even in the signed version. And if there's any other hack possible, even allowing the user to retain the default pword and so on - then signing doesn't really do squat, now does it?

Re: Good

[NicknameUnavailable]

The internet isn't bad, the IoT is bad. The distinction being that the IoT consists of many thousands of distinct devices made mostly by hacks who don't know how to program which all independently try to call home for various purposes (usually spying on your with whatever sensors they have available for marketing and similar purposes) while simultaneously opening backdoors into your network by registering as a client to your firewall while making outbound HTTP requests to get data out and commands in. The overwhelming majority or IoT devices are parts of botnets because of the shit security which went into them in addition to their inherent spyware intention, which the unhacked ones also play a part in. The IoT is interesting as a concept but when implemented by a bunch of companies being paid for instance to develop a CCTV camera or smoke alarm or thermostat and not highly skilled in digital security is just an increased attack surface, but again even the ones highly skilled in security just use it for spyware (think to yourself: do your NEST thermostat and smoke alarm really need fucking cameras to register hand gestures - do they really need hand gestures, or is that just Google's way of tricking morons into sticking a camera in their living room?

Re:Good

[Opportunist]

Why exactly would it die?

Manufacturers can sell it and are not legally responsible for their crapware.
People are dumb and buy it, not understanding what's going on.
Damage is done to someone who cannot influence buying/selling of those things.

So what reason would you see for this to cease?

Re: Good

[Monster_user]

The price of progress.

Otherwise, are we going to put a stop to innovation? These IoT things are experiments, up-starts, looking for something we didn't know we needed which will improve productivity and efficiency exponentially. They typically don't have the budgets in their projects to do IoT the right way.

Vulnerabilities in IoT is a big problem, but is it a big enough problem to allocate resources to fix?

Re: Good

[NicknameUnavailable]

It's not innovation, it's spyware. There's zero reason for a thermostat or fire alarm to recognize hand and voice gestures - that's just the excuse Google gives so they can bundle a camera and microphone into it with an always-on wi-fi connection via the GSM network. But hey, GSM is totally free and not enormously expensive - oh wait, a camera in all your rooms provides data which pays for the bill.

Re: Good

[Monster_user]

Perhaps not the fire alarm. Such critical devices as a fire alarm should be isolated and simple, but effective. An IoT fire alarm is the worst thing ever.

The thermostat is a great asset. I've been considering something like that myself, once I get a central AC unit installed.

Also, its one step closer to the USS Enterprise D and voice activated everything. Which is both cool and scary at the same time. Star Trek TNG: Contagion is a good IoT episode,...

Re: Good

[Monster_user]

Actually, under the circumstances, regarding what the discussion is about, yeah, that is a true statement.

At leadt in the USA.

Re:Good

[Opportunist]

Could you show a single case where someone managed to tack the damage done onto the culprit, i.e. the idiots making the electronic garbage?

Re:The sooner we get rid...

[DontBeAMoran]

I think the worst part of the internet is that any moron can post his opinion online.

I've never used...

...the Internet, Hell I don't even know where to find it!

Powerrrrrr!!!

[tsa]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

Re:Powerrrrrr!!!

[Opportunist]

Not strange at all, the chips are just cheaper.

I kid you not. You can currently get chips with more features and faster processing speed cheaper than "older" chips with less. Mostly because the price of chips is mostly fixed costs and it costs about the same to make either of them, so making the more powerful one that outdoes or at least is on par with the competition's chip makes sense, else people will buy theirs and not ours.

Re:Powerrrrrr!!!

[viperidaenz]

Not really.

Re:Powerrrrrr!!!

[tlhIngan]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

You can thank smartphones for that, which have driven down the cost of embedded processors significantly.

When I started, a 200MHz StrongARM processor was considered high end, and 400MHz processors were on the way. If you're lucky, they had 32MB of RAM. At the time, the average desktop was 500-800MHz with 128-512MB of RAM. You wouldn't dare run desktop applications on the embedded processor (even though they ran Linux and could) - it was just too painful.

Even when the iPhone came out, it ran a 400MHz processor with 128MB of RAM. But just 10 years later, we've got 2.5GHz processors with 4+GB of RAM on our phones. And we're pushing processing power that is starting to meet or exceed what low-end PCs are capable of.

Likewise, the embedded market has followed the same trend - if you want, those 200MHz processors are still available. But you can get a multi-core multi-GHz processor for basically the same price.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Almost like Toy Story

[bobstreo]

The Cloud is My Master.

So does this mean I need a firewall in front of my cable modem?

...and linux Servers

[gravewax]

I noticed the summary conveniently left of the very last item in the list of the article of affected devices "and Linux servers".

Re:...and linux Servers

[HiThere]

The "and Linux servers" referred to devices being attacked, not to ones that were part of the bot-net.

I'm going to give you credit for good intentions, at the cost of considering that you lack reading comprehension.

Re:...and linux Servers

[HiThere]

I'm sure they are. There wouldn't be much purpose in attacking them if there weren't some way to use them...at least some of them. Some systems aren't patched and kept up to date, and those frequently have known vulnerabilities. But that's not what the article is about.

Re:It is time to start fining the culprits

Sheesh, what an elitist fuckwit.

So come on then brains, tell all of us ignorant consumers how we're supposed to check with 100% certainty that a network enabled device is secure ?
  And what do you define as a 'device' ?
Does that go as far as regular desktop/laptop computers? If not, why do they get a special exemption from being allowed to be part of a botnet ?

monetize

[PopeRatzo]

This explains why my thermostat is now mining Bitcoin.

Re:monetize

[Opportunist]

Lucky you. Mine just went to 100F and demands 2 Bitcoins to set it back to normal levels.

Re:monetize

[h33t+l4x0r]

That's nothing. Mine's been posting fake news stories to Facebook since last year.

Re:monetize

[fisted]

T_SET 68F T_MEAS 67.5F ALL SYSTEMS NOMINAL PLEASE MOVE ALONG NOTHING TO SEE HERE FELLOW HUMANS

o o o o o o o o o o o o o o o o o o o o o o o o o o o

Re:I just hope they learn from past mistakes....

[Opportunist]

Why exactly should they learn anything?

Did the customer buy it? Check.
Did he return it? Nope.

What exactly is the problem the manufacturer could possible have?

Re:The sooner we get rid...

[Opportunist]

Opinions don't hurt. Opinions are great, I needn't share it, and instead I can point out to some idiot why his opinion is crap.

The worst part is that anyone can hook his insecure, unpatched garbage onto the net and people are no longer connected via dialup with those infrastructural systems that "count" having multiple gigabits of bandwidth available to them, making the impact an idiot with a botnet sheep running 24/7 at his home ("because those torrents take forever, broadband MY ASS!!!!111!1!") insignificant.

These idiots that now have 20, 50, 100 and more mbit available to them CAN and DO pose a threat to key infrastructure.

That is the worst part of the internet right now.

Re:KRACK?

[viperidaenz]

krack doesn't "enslave" wifi devices. It allows the encryption to be broken.

I would take a guess and say it hasn't, at all.

Re: I just hope they learn from past mistakes....

[Monster_user]

The device made it beyond the 15 day return period before being exploited. And who is going to notice this problem before the 1-year warranty runs out that would buy such a device and run it on an unsecured network anyway.

Re: It's not all IoT?

[Monster_user]

No its not all IoT. IoT devices just are less likely to be maintained by the manufacturer.

With a NAS or router, the response has been to blame the user. They should either patch the firmware, or switch to a manufacturer which supports the product after the sale.

With IoT devices, there is little to do but pine for the good old days when nerds wrote their own firmware, and the commoners new nothing of technology. And wait for the IoT zombie botnets to attack a high enough value target so as to get something done about the issue.

Either we charge fines for devices connected to the internet with outdated firmware, operating systems, or security software, or we fine manufacturers who fail to deploy fixes in a specified amount of time regardless of lost functionality to the device.

Re: That's wonderful, but on a more important topi

[Monster_user]

Tomaeto, Tomahtoe.

Make Raspberry Pi's easy to deploy with Windows 10, and you might just solve your IoT problem. Depending on the W10 implementation. Maybe go with Azure AD?

Re: It is time to start fining the culprits

[Monster_user]

I pay the device manufacturer, Maytag for instance, to not be ignorant for me. Its called delegation.

Time is money. If I'm buying an IoT device, I'm buying it to reduce the amount of time I'm having to spend micromanaging it.

Rename IOT to IDIOT

[knorthern+knight]

Insecurely Designed Internet Of Things

Re:doesn't affect me

[fisted]

Same here, not affected. All my IoT thingymajingies still work fine, including the house alarm and door locks.

Re: It is time to start fining the culprits

[fisted]

The device manufacturers know they get away with it, so at the end of the day, you're still SOL.

Re: That's wonderful, but on a more important topi

[DivineKnight]

Uhh, let's see here...Botnets are as common as grass, and nothing to freak out about. If you've been even glancing at IT trade mags for the past several years, you already know how to deal with the ensuing DDOS attacks. There are even services, mentioned right here on /., that proudly advertise that they won't boot you if you are the target of the DDOS attack, because they know now how to handle them, with ease.

So at best, this is more of a last mile problem: the owners of said devices are likely to have important identity information stolen from them, and, God forbid, a company using such insecure devices on their network (and not staying on top of updates / security notices)...well, we have a phrase for people like that -> "trusting in the wind."

But if we look at this post more intelligently, as a likely plant to generate some FUD, or to make some tech stocks sink, well, that makes more sense, doesn't it?

Re:It is time to start fining the culprits

[QuietLagoon]

There are many what if's. But instead of sitting there throwing criticisms, what do you think needs to be done to resolve the lack of secuirty of IoT devices?