Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Botnet Security Privacy The Internet

Massive Mirai Botnet Hides Its Control Servers On Tor (bleepingcomputer.com) 149

"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.

Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.

This discussion has been archived. No new comments can be posted.

Massive Mirai Botnet Hides Its Control Servers On Tor

Comments Filter:
  • by JustAnotherOldGuy ( 4145623 ) on Saturday December 17, 2016 @07:03PM (#53505469) Journal

    This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.

    When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

    And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

    Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?

    Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

    • Force all their internet through a proxy that routes everything to goatse for the next 20 years to life.

      I can almost hear them screaming:

      "My eyes, they burn, kill me now, please kill me now."

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Saturday December 17, 2016 @07:50PM (#53505627)
      Comment removed based on user account deletion
      • If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety.

        I'm sure the thousands of fly-by-night Chinese manufacturers making this stuff will jump to attention and immediately follow our demands to make their shit safe.

        • by gweihir ( 88907 )

          Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in. Sure, that would need to be done in a lot of countries, but a concerted effort is the only thing that helps anyways.

          • Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in.

            And who will do all of the testing required to make sure that all of these devices are safe or not exploitable? Where will the manpower come from to find and test the millions of devices that come into the country?

            I agree that companies should be held responsible for insecure hardware, but it's a moving target that's going to be nearly impossible to hit again and again and again.

            • IMO, the only practical way to combat this would be to create a vigilante botnet that bricks everything it infects.

            • by gweihir ( 88907 )

              And how does that happen, say, for children's toys containing lead? The problem seems to be pretty similar to me...

              We are not talking about hard to find vulnerabilities either. We are talking things like telnet-access, default-passwords, no-passwords and no update possibilities. All not hard to determine.

        • Comment removed based on user account deletion
      • by gweihir ( 88907 )

        Very much this. The script-kiddies are at best vandals. Vandals are never the root-cause of a problem, they are just an annoyance. Those that allow this to happen when they could prevent it are willfully endangering critical infrastructure and that is just completely unacceptable.

    • by bug1 ( 96678 )

      When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.

      Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.

      crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?

      Maybe try a technical solution to a technical problem, like not having publicly accessible Internet for critical infrastructure.

      Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?

      Yes it does, your a crazy extremist

      • Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.

        Then maybe it's time to update the definition. It sure sounds and smells like terrorism to me. Crippling an entire country's economy and infrastructure seems like a violent act, even if it's done through a keyboard.

        -

        Yes it does, your a crazy extremist

        First of all, it's "you're", and second, what's your point? It's okay to fuck over an entire country and potentially cause thousands of deaths, but I'm the extremist when I say we should lock the perpetrators up for 20 years?

        • by bug1 ( 96678 )

          There needs to be a political goal for it to be considered terrorism.

          The law is based on precedents and consistency in judgements, reinterpreting legal definitions because your afraid is just terribly selfish. Why cant you just use other words ?

          If someone sabotages equipment that leads to thousands of deaths, then there are other laws to cover that.

          The law should not be used as propaganda

          your, your, your, your :)

    • The network itself may have a pretty good track record of never totally falling over, but there is no guarantee at any given moment that there will be connectivity where you are, right now. Networks and entire countries can be cut off, and an emergency responder had best assume in a SHTF scenario that data service will be intermittent to completely unavailable. What happened to the radios in the cars? Those won't just stop working (unless it's an EMP attack, but what good is a network connection if all your

    • by Anonymous Coward

      One of my jobs in the past, was crisis potential utilization.

      we didn't generate a crisis. But we noted where potential problems existed, then take actions 3 steps removed to influence other pieces to get closer. Say you find a mop closet storing petrol, ether etc. having people work there who are inclined to be lazy & not be thorough or safe is a good start. having it appear as a convenient spot to smoke is a good next step. Whatever happens next, the only real job is to clean up the situation, discredi

    • Difficult to identify, catch, jurisdiction problems in foreign countries... The manufacturers who sell insecure shit woth hard coded / staic default passwords on the hand should be fined steeply
    • by gweihir ( 88907 )

      The tiny problem with that is that penalties have zero preventative effect. Criminals do not assume they will get caught. Hence while this does serve a primitive desire for revenge, it will not do anything about the problem at all.

      In addition, the penalty is quite out of proportion to the crime. In fact, the actual access will not even be a crime in many legislations, because the devices were not secured at all, no hacking needed. The real problem is badly secured and not-secured IoT devices. If you put ope

      • The tiny problem with that is that penalties have zero preventative effect.

        Actually, this isn't wholly true. It's a popular misconception that that penalties don't change behavior. Penalties do have some effect, although there will always be those who will take the risk. For example, would you sell or smuggle drugs if there was no penalty? How about committing fraud, or theft, or murder? A lot of people would do those things if there was no penalty, but many of those people look at the downside of getting caught and opt not to do it.

        And frankly, prevention isn't necessarily the en

        • by gweihir ( 88907 )

          You need to have a serious look into the literature. Nothing you propose works. And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?

          • And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?

            No problem, we'll house the "next one" in the cell next door to the first one. (Or the next empty cemetery plot.) And so on. Just because we can't prevent it doesn't mean there shouldn't be penalties, right? That's what 99% of the laws on the books are all about- punishing offenders, not preventing them from committing crimes.

            I already said that some people aren't deterred by the threat of death or imprisonment, but that's going to be their problem when they get caught, not mine. Locking them up (or lopping

            • by gweihir ( 88907 )

              So you do not mind the problem persisting as long as you can brutalize or kill a few people? Talk about a cave-man mindset.

              • So you do not mind the problem persisting as long as you can brutalize or kill a few people?

                Are you saying we shouldn't punish people for committing crimes? That seems stupid and naive.

    • If a bunch of teenagers can crush an economy, then the foundation of that economy is faulty. You don't build critical infrastructure around it, ignoring and leaving your vulnerabilities exposed. This new generation of technologists have thrown best practices out the window. Nobody looks at single points of failure anymore. Increase the punishment for pressing the big-red button?
      • If a bunch of teenagers can crush an economy, then the foundation of that economy is faulty.

        If a bunch of teenagers can burn your house down, is the house faulty?

        Everything is "faulty" in one way or another, but that doesn't give anyone a free pass to destroy it.

  • by davidwr ( 791652 ) on Saturday December 17, 2016 @07:08PM (#53505485) Homepage Journal

    It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.

    If you want to allow your thermostat to talk to a specific external host then punch a very narrow hole in the firewall to allow it.

    Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.

    This will require industry cooperation:
    * Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
    * ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off. If you use one of these new routers, it's much less likely that bad things will come out of your network."

    • It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.

      Sure because users are that clued on in IT stuff now. They can't even change their default passwords but they'll manage a firewall no problems.

      * Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer

      Something like UPnP? Yeah let's develop a firewall along with a protocol to punch holes through it automagically.

      ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off.

      Tell customers that they will cease being your customers and you don't want more money from them? When has something like this every had the cooperation of industry? ISPs are fighting against cutting customers off when they have legal requirements to do so

    • Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.

      LOLWTF? Does nobody use hubs or switches anymore? It seems to me the best way to keep my LAN data from leaking out my WAN is for the router to not be involved in transmitting it at all...

  • by golodh ( 893453 ) on Saturday December 17, 2016 @07:21PM (#53505525)
    It's interesting to see history repeat itself (again). Years ago you had some very vocal pimply-faced youths who jeered about how they were illegally distributing copyrighted works (software, music, video, books. Stupid companies! No copyright protection, lame copyright protection ... easy meat !

    Result ? Among others the DMCA. Various individuals were sued into bankruptcy by the music industry, just to show people what the risks were (remember single mother Jammie Thomas ? See: https://en.wikipedia.org/wiki/... [wikipedia.org]) . Some were driven to suicide (see https://en.wikipedia.org/wiki/... [wikipedia.org] ).

    What shouty nerds tend to forget is that (like it or not) they are part of a society that can (and does) sets certain limits on their behaviour. Which can be enforced. With or without their consent.

    Tor routers can be a force for the good (avoiding censorship, protecting human rights activists, protecting investigative journalists) but they really _can_ be eradicated, given sufficient incentive.

    Just outlaw the servers, force ISP's to scan all Internet traffic for TOR servers, log any connections and isolate / report them as soon as they're detected. Send a SWAT team to visit anyone who connects to a TOR server to seize their computers pending investigation. Set penalties sufficiently high to pay for all that and publicly sue a few tens of offenders into bankruptcy.

    Should cow 99% of all TOR users, right? The 1% who aren't cowed are probably up to no good anyway.

    A bit like China. Not pretty, and people won't like it, but it really can be enforced.

    The detection and tracking part is already in place. Just consider the raft of deep-packet inspection routers that has been installed already (see https://en.wikipedia.org/wiki/... [wikipedia.org] ).

    I'm not saying I'd like to see something like that (I wouldn't). All I'm saying is that stupid and venal abusers like this a**hole botnet operator make it that much more likely that something like that will occur. Whether we realise it or not. To the detriment of us all.

  • by ezdiy ( 2717051 ) on Saturday December 17, 2016 @10:08PM (#53505987)
    1) No botnet actually hijacked 900k CPEs of DT, at the moment there are rougly between 10k-40k zyxel ones across the world. The outages were caused by the increased 7547 scan traffic crashing routers of other vendors.

    2) Zyxel SOAP RCE probes died down rapidly past 2 weeks. There is still some traffic (wget vizxv.pw/a if you're curious, note that you need actual wget user-agent), but the botnet is relatively small at this point.

    3) As for general IoT botnets using telnet, running a simple cowrie honeypot will tell you that C&C method of current largest botnet is not Tor based, but bittorrent DHT based. The codebase appears to be unrelated to mirai, too.

    All of the above can be fact checked using pretty simple tools - for TR-069 exploit simply listen with netcat, for telnet/ssh bruteforce use cowrie. Botnet size can be gauged accurately by sampling scan probes (mirai codebase sends 160 probes/s).
  • Maybe the guy will turn some of those hacked devices into TOR nodes and actually do some good for the world.
  • Please get at least basic facts right in stories: It crashed these routers, but it did not get in, as the vulnerability exploited was not present. A DoS vulnerability remained unfortunately, and the port the service was running on was globally reachable. Bad, but not nearly as bad as being vulnerable to "hijacking".

  • Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.

    No matter what kind of encryption used you can characterize streams by various types of signature. Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery. Finally on

    • by Agripa ( 139780 )

      Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.

      They sure have. I believe they are seizing and retaining the content as well if only with the excuse that it also contains metadata.

      No matter what kind of encryption used you can characterize streams by various types of signature.

      It is a good thing that nobody would duplicate the signature of an already well known and secure encryption solution which is already used for routine connections.

      Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery.

      This is easy to defeat at a cost in only bandwidth and latency. Completely anonymous communications are possible where every piece of metadata is recorded and the increased cost in bandwidth means that there will be

Technology is dominated by those who manage what they do not understand.

Working...