Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Security

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released (krebsonsecurity.com) 117

As if the state of security wasn't already a headache worldwide, we now may have one more reason to worry about: a hacker has made available the source code that could allow more people to wage the kinds of extraordinary large assaults that recently knocked security news site KrebsOnSecurity offline. Brian Krebs reports:The source code that powers the "Internet of Things" (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices. The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed "Mirai," spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Vulnerable devices are then seeded with malicious software that turns them into "bots," forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline. The Hackforums user who released the code, using the nickname "Anna-senpai," told forum members the source code was being released in response to increased scrutiny from the security industry.
This discussion has been archived. No new comments can be posted.

Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released

Comments Filter:
  • Oh great (Score:4, Informative)

    by JustAnotherOldGuy ( 4145623 ) on Monday October 03, 2016 @11:04AM (#53004589) Journal

    Oh great, now every dickweasel and conehead in the world will be cranking out malware.

    • by Anonymous Coward

      Let's see a list of manufacturers to never buy from. That would be one good thing coming out of this...

      • Your problem is that you think that bankrupting one company is going to change anything. The operators will just spin up a new operation (corporation), and create new botnet nodes under another IoT fad.

        THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)

        • Re: Oh great (Score:5, Interesting)

          by mlw4428 ( 1029576 ) on Monday October 03, 2016 @11:46AM (#53004941)
          That's a stupid line of thinking, it really is. Automobiles, as convenient as they may be, don't outweigh the inconvenience of the increased public expenditure on accidents, insurance, infrastructure, and pure risk to persons and property. So we should all just have horses and buggies.

          Here's an idea: hold corporations accountable. Did you follow industry best practices? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did patch your code within a reasonable amount of time after being notified of the issue? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you take unnecessary design risks and challenges with your product? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS. Did you have a security firm with proper recognized credentialing test your code for flaws? No? LAWSUIT, MASSIVE PAYOUT, JAIL TIME FOR SENIOR MANAGERS.

          It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.
          • Or even simpler: No "hidden" backdoors, No default User/Pass, No Jail Time or Fines. If you sell more than 1000 devices you must have your product certified.
            • Because over regulation is working so well for you right now. What's the street price of medical gear right now in the USA? 10x that of the rest of the world? 20x? could even be closer to 30x given I can buy an Epipen for $23.99

              • And the quality of medical code isn't very good, still.......
              • That's not because of overregulation, but because of a pricing strategy called "what the market will bear". This is quite a bit more for critical drugs and gear than for toys, as pharmaceutical companies have discovered.

                If it was overregulation the price would have gone up everywhere, since pharmacovigilance regulations are pretty similar across the board. Okay, maybe some price disparity would have been there because some regulators require less proof. But still, this can never explain a 30x price differen

          • Re: (Score:2, Redundant)

            You can't blame Ford for the bad driving of the people crashing their cars. You can blame Ford for faulty mechanics. Most of your comparison is based on bad drivers, not Mechanical Problems. For the Most part, cars are relatively safe until people start driving.

            However, just about every IoT device that is faulty is broken by design. And they aren't being made by GE, Samsung or whatever, but by some Chinese fly-by-night cheap manufacturer for some IoT "inventor" who doesn't have the resources to pay out anyt

          • It wouldn't even require much more than writing a law that allows the corporate veil to be pierce-able in the event of egregious displays of information security negligence.

            Yes because the law is only a problem for information security negligence and these massive lawsuits, payouts, etc have stopped every other form of short cutting.

            Or not.

          • by gweihir ( 88907 )

            While it sounds extreme, I completely agree. Without that, nothing is going to change. As soon as anybody that did screw up this badly has to prove they followed best practices and had independent review OR ELSE (and the "ELSE" must be personal for senior management), this problem will mostly go away. One model could be IoT devices this insecure must be recalled and the owners compensated generously. Cannot assure that? No way for your trash to get through customs. Yes, regulation is generally not a good id

          • Issue with this: The presumption that product manufacturers can be held liable for how their products are used illegally. This idea is not new (see holding gun manufacturers liable for crimes committed with their products), and will not work.

            Try an alternative route.

        • by plover ( 150551 )

          THE only way to stop these botnets from forming is to not buy IoT devices. As convenient as they may be, they don't outweigh the inconvenience of a completely broken internet (of things)

          No, you need to not buy IoT devices that ship with working default passwords and that can't patch themselves. The way we made that happen in the marketplace before with electrical safety issues was with an overpriced certification authority, like UL or CSA, something customers can recognize in the shops today by the shiny holographic label.

      • The code scans across over a dozen architectures so unless someone alters the code to recreate the botnet but echo data about the devices to a central location then you are relying on the good will of companies to commit sepuku.
      • Re: Oh great (Score:5, Informative)

        by naughtynaughty ( 1154069 ) on Monday October 03, 2016 @12:22PM (#53005285)

        Almost all manufactures ship devices with default username and passwords

        Changing them is your responsibility

        • ...and somehow houses/cars/etc. get doors with unique keys by default.
        • by Anonymous Coward

          Sure. Used to be in the UK if you bought say, a refrigerator, it didn't come with an electrical plug. Really. Whole fridge works, ready to go but no plug. That would come wrapped separately with just a bare lead on the fridge.

          Obviously every year some number of imbeciles who bought a fridge but struggled to follow instructions that involve knowing the colours of things and operating a screwdriver would wire it up wrong and kill themselves or destroy the integrity of their electrical system (e.g. wiring neut

        • by Macdude ( 23507 )

          Almost all manufactures ship devices with default username and passwords
          Changing them is your responsibility

          The device should require the username and password be changed before it will function.

        • Almost all manufactures ship devices with default username and passwords

          Changing them is your responsibility

          With the source code for Mirai that became a whole lot easier for me to do ;)

        • by gweihir ( 88907 )

          Actually, making sure you change username and password is their responsibility. The well-established way to do that is that unless you do, the device just displays a page asking you to. So this is indeed a massive screwup on the manufacturer's side.

      • I think a better use of this botnet would be to flood the manufacturers' websites. Maybe then they'll start caring about security.

  • by Nick ( 109 )
    It's amazing that is just now becoming a thing. IoT devices and their piss-poor security/default passwords/etc have been out for a while.
    • by gweihir ( 88907 )

      Quite a few experts have been warning about this problem for years. People never listen until something bad happens....

      • Maybe it could have something to do with the fact that half of you security "experts" are clearly frauds who do not understand the first thing about information theory. Where do you work, by the way?

        The $1000 is still yours, if you or one of your mental midget followers can manage to demonstrate a flaw in my design.

        Summary here: https://slashdot.org/comments.... [slashdot.org] The preamble is a loose working definition of hash. My stances and claims are enumerated below.
        • by gweihir ( 88907 )

          Go away, noob. Stalking does make your credibility even lower. As does trying to deride actual experts.

          • Actual experts can succinctly explain why they consider something to be massively flawed.

            And I'm not going to take etiquette advice from someone who uses sock puppets or minions, thanks. I'm performing a useful service; I'll be fact-checking all of your stuff for a little while. Won't take me 5 minutes a day. Don't worry, all other posts will be strictly on-topic from here on out.

            I don't mind losing debates, but I no longer abide frauds. Particularly not frauds who apologize for incompetence.
            • by gweihir ( 88907 )

              Stalking and deriding are not "fact checking". They are just immature revenge for a bruised ego. Your "usefulness" is just going even wider into the negative this way.

              • I'm not stalking you, you pathetic drama queen. I'm temporarily providing a service to the community to make sure you don't spread any more (unchallenged) self-indulgent authoritarian gibberish for a little while. Also, there may be some jokes at your expense if you happen set me up with a good line. Things have been slow lately but I've some upcoming stuff that will require my keenest attention and after that point I'm pretty sure keeping an eye on you will fall far down into the darkest depths of the ext
                • by gweihir ( 88907 )

                  Keep kidding yourself. You are doing the "mad stalker" act now. I just checked whether I should return the favor, but your postings are not interesting enough for that. I am simply going to ignore you now, encouraging a petulant child is never a good idea.

            • If you have that kind of time, I'd welcome a fact checker for all of my posts on /., FB, my personal blog, LinkedIn, etc. Would save me some embarrasement and help me improve my positions and arguments. I don't post much, so it'd be easy & would be good for my persuasive debate skills. Call it a "peer review" :) Now that I think about it, a "post for review" premium option for social platforms (or plugin to other CMS platforms) that sends the content to mechanical turk (or some other service) for revi
              • by gweihir ( 88907 )

                Nice! ;-)

              • Like I said, I'll be devoting something on the order of 5 min/day to this, perhaps 10. You'd have to write on the same complexity level of gweihir, and include similarly glaring errors, for me to be able to scan through all your posts that quickly.
  • Headline translation: "We're Doomed."

    • by The-Ixian ( 168184 ) on Monday October 03, 2016 @11:08AM (#53004623)

      I fully expect that we are facing nothing less than total apocalypse

      This is the end people!

      Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

      • More like this is the start of Skynet. Just wait until the AI we are creating get a hold of all the IoT devices ...

      • by arth1 ( 260657 )

        Remember y2k? Yeah, just imagine that times 1... you are starting to get the picture...

        Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline. If all the people who worked on it hadn't, it would have been a rather terrible impact.

        Unfortunately, there isn't (yet) an irresistible incentive or imperative to fix the ToI problem. Even for those recognizing it as a problem, there is no deadline nor any good predictions that will sway management to

        • Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

          This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

          • by St.Creed ( 853824 ) on Monday October 03, 2016 @03:35PM (#53006601)

            Y2K was a big deal. That most people didn't notice much is a testament to what happens when you take something seriously, and get a lot of skilled people to work on a problem with a non-negotiable deadline.

            This is absolutely true. The reason Y2K wasn't a big deal is because thousands of programmers sat down and fixed stuff. Otherwise, we would have seen all sorts of shit go belly up at the stroke of midnight on December 31st 1999.

            Hell yeah. In our first tests after the bugs were fixed, literally NOTHING worked. They had forgotten to patch the login module and every password valid date was now suddenly in the past. 50 testers went home again that day, after an hour, on a saturday. Much grumbling ensued.

            But... you know, at some point noone who was present at Y2K will be alive, but the people who denied that there ever was a problem will still be in abundant supply. It's saddening to see that if you just deny something happened, no matter what it is and no matter the documentation and witnesses, eventually sheer stupidity and mental inertia will bring you victory. Fighting entropy is *hard*.

            • noone who was present at Y2K will be alive

              You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
              I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

              • You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype

                Yep.

                You mean no one who actually worked on the Y2K issue will be alive, and everyone will just think it was media hype.
                I worked for a major bank at the time, we had to work night shifts towards the end for testing, we started making changes about 4 years before Y2K, millions was spent on contractors, people came out of fucking retirement to work on Y2K. But ask anyone who wasn't involved (even other programmers) and they all think it was much ado about nothing.

                This illustrates what is often said: the person that creates crisis after crisis and then fixes them (just in time to avoid serious disaster) will be appreciated more than the unsung hero who prevents the problems from developing in the first place. Sometimes I think we should have just let Y2K happen and then fixed things. But meh, what's done is done and besides it is our job to keep things running. Leave it to the amateurs to run from one fire to another - engineers are proud to run things so there a

      • I fully expect that we are facing nothing less than total apocalypse
        This is the end people!

        Start doling out the Kool-Aid and make sure each cup is filled to the brim...bottoms up!

        But seriously, this is likely to make things worse, much much worse.

  • Better that it's out in the open than hidden in the shadows, out of reach of security researchers.

    This will motivate competent admins who, for whatever reason, haven't secured these kinds of devices already to get around to taking care of the issue. As for the incompetent admins and the average home user, they'll figure it out when their bandwidth costs go through the roof and be forced to take action one way or another.

    But long story short, if a tool exists (good or bad) it's better that everyone can acces

    • Most of these are not on any administrated system. These are baby monitors, home security cameras, "smart" toasters, and similar junk. We are selling piles of internet connected junk to the masses, but with no responsibility for anyone to make them secure after the fact. It is in fact getting harder to find widgets that are NOT internet connected just for the sake of being able to label it "smart".

      Smart toilet paper that tells you when the roll is about empty and automatically re-orders from Amazon will

      • by gtall ( 79522 )

        It will only be smart toilet paper when it wipes me by itself, dumps itself in the toilet, and then flushes itself away.

    • by Okian Warrior ( 537106 ) on Monday October 03, 2016 @11:31AM (#53004811) Homepage Journal

      Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

      Apparently power cycling the IoT device will reset it to normal, whereupon it can be reinfected.

      Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

      The owners would have to keep power-cycling the devices, they'd get pissed at the manufacturers for making a poor product, and maybe they'd replace the devices with newer ones.

      This should be simple to do, much less effort than making the code try to contact the owner with "hey - change your password" and such.

      Would just making the products appear crappy work?

      • by arth1 ( 260657 )

        Reading about this, I was wondering is there isn't some way to mitigate the problem by pre-emptively borking the devices.

        "Do unto others before they do it to you."

        I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

        • "Do unto others before they do it to you."

          I don't like that approach, because of the high risk of collateral damage. What if some of the "things" were things like traffic sign controllers or great-grandmother's heating blanket, or also regulated the propane flow in a barbecue grill? Unless you can only take out the bad part and leave the good part intact, I see risks.

          Given our history with new technology going mainstream, it'll take a few front page level incidents involving these gadgets before people take their security (or lack there of) seriously.

          • ...or also regulated the propane flow in a barbecue grill?

            Holy fuckballs. Anyone stupid enough to allow as IoT device to control something the propane flow in a barbecue grill deserves to have their house blown to bits in a huge fuckin' fireball.

            No, really- there are some things that simply should not be automated unless absolutely necessary. And that goes double if the controlling is done through an IoT gadget.

            It's like trusting your newborn's oxygen supply to some ten-dollar gizmo sourced in China. No. No, NO NO.

      • The problem there is that the group behind it would probably be liable under the Computer Fraud and Abuse Act - all it would take is a few calls from the managers at the IoT device companies to the FBI and the security group behind it would be arrested and probably jailed for violating it. The CFAA is so wide-reaching that even something as simple as hacking into the devices to display a simple "This device is vulnerable and could be used at any time as part of a botnet to DDoS websites" could be punished b

      • Suppose some security group ran the malware and infected as many devices as possible with code that made the device *not work*.

        History repeats itself [wikipedia.org]

  • Duplicate story (Score:3, Informative)

    by eledill ( 4710861 ) on Monday October 03, 2016 @11:12AM (#53004655)
    This is a duplicate of http://m.slashdot.org/story/31... [slashdot.org]
    • Re:Duplicate story (Score:5, Informative)

      by xxxJonBoyxxx ( 565205 ) on Monday October 03, 2016 @11:25AM (#53004745)
      Half the editors were too busy fending off a DDOS attack to read their own site. The other half still use a username/password of "admin/admin123" on their home devices and couldn't read their own site because their equipment was currently part of a global botnet.

      More seriously, here's the list of usernames/passwords the bot exploited. Might be worth adding to your personal collection to make sure your scanned notices these.

      root xc3511, root vizxv, root admin, admin admin ,root 888888
      root xmhdipc, root default ,root juantech ,root 123456, root 54321, support support
      root (none) ,admin password ,root root ,root 12345 ,user user ,admin (none)
      root pass ,admin admin1234 ,root 1111 ,admin smcadmin ,admin 1111 ,root 666666
      root password ,root 1234 ,root klv123 ,service service, supervisor supervisor ,guest guest
      guest 12345, , guest 12345, admin1 password ,administrator 1234 ,666666 666666 ,888888 888888
      ubnt ubnt ,root klv1234 ,root Zte521 ,root hi3518 ,root jvbzd ,root anko ,root zlxx. ,root 7ujMko0vizxv ,root 7ujMko0admin
      root system ,root ikwb ,root dreambox ,root user ,root realtek ,root 00000000 ,admin 1111111
      admin 1234 ,admin 12345 ,admin 54321 ,admin 123456 ,admin 7ujMko0admin ,admin 1234 ,admin pass
      admin meinsm ,tech tech ,mother fucker
  • This just in: Post Title for Source Code For IoT Botnet 'Mirai' Which Took Down Krebs On Security Website With DDoS Attack Released Deemed 'Not Enough Like That Brain Freeze Feeling' on Slashdot

  • The same story was posted yesterday.
  • by GrumpySteen ( 1250194 ) on Monday October 03, 2016 @11:47AM (#53004945)

    Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

    • Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      So they lock themselves out of a *third* sale? Doubtful. Easier to just change brand names; boxes and labels are cheap to make in the Pacific Rim.

      • by rhazz ( 2853871 )
        And their new products will also tank. Soon the majority of people will stop buying from random vendors and only buy from reputed ones who have proven products.

        The real problem is how authorities are likely to react to someone breaking these devices. Breaking every hackable IoT device out there is likely to cause much more consumer backlash than the occasional DDOS does. I bet the authorities would expend more against the person breaking the devices than the ones using them in the botnets.
    • Use the source code to create malware that disables the functionality of the insecure devices. When it becomes apparent that massive numbers of them stop working soon after installation, sales will drop through the floor and that is the only thing that will make manufacturers change their behavior.

      That sounds ethical. While you're at it, why not have them first DDOS the websites of political entities you find objectionable?

      • why not have them first DDOS the websites of political entities you find objectionable?

        Because manufacturers don't give a shit about someone else being hit with a DDOS from their products.

        Your argument is based on the completely fallacious idea that a manufacturer suffering the consequences of making shoddy products is exactly the same as randomly suppressing someone's political views. It's a stupid argument.

        Until not having real security reduces their profit more than the cost of adding security, nothing will happen. Malware that disables the functionality of devices and makes it obvious t

        • by Anonymous Coward

          Why not have them first DDOS the websites of their manufacturer?

        • The manufacturers don't give a shit, and I bet the people who haven't secured their own devices give even less of a shit as well. They WILL give a shit if their IoT device gets borked however, even if the intention was altruistic the legal response will put you in jail. I don't feel like doing time to stop Krebs, or Trump or Hillary or anyone else from getting DDOS'd. But hey, it's a good idea, go for it.
    • Bricking the device negatively impacts the end-user, who frequently has zero control over security flaws in the firmware. Instead, the malware should figure out who the manufacturer is of the device it's infected, then start DDoSing that manufacturer's website. Minimal impact to the end-user, but the manufacturer's problem scales with the number of insecure devices they sell and leave unfixed.

If all else fails, lower your standards.

Working...