Massive Mirai Botnet Hides Its Control Servers On Tor (bleepingcomputer.com) 149
"Following a failed takedown attempt, changes made to the Mirai malware variant responsible for building one of today's biggest botnets of IoT devices will make it incredibly harder for authorities and security firms to shut it down," reports Bleeping Computer. An anonymous reader writes: Level3 and others" have been very close to taking down one of the biggest Mirai botnets around, the same one that attempted to knock the Internet offline in Liberia, and also hijacked 900,000 routers from German ISP Deutsche Telekom.The botnet narrowly escaped due to the fact that its maintainer, a hacker known as BestBuy, had implemented a domain-generation algorithm to generate random domain names where he hosted his servers.
Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
Currently, to avoid further takedown attempts from similar security firms, BestBuy has started moving the botnet's command and control servers to Tor. "It's all good now. We don't need to pay thousands to ISPs and hosting. All we need is one strong server," the hacker said. "Try to shut down .onion 'domains' over Tor," he boasted, knowing that nobody can.
Re: (Score:1)
Trivial.
You don't really believe HTTPS [theregister.co.uk] is secure, do you?
Re: (Score:1)
Even worse. Anybody can make a fake
Re: (Score:2)
* hurt the Tor network itself, which in the short term does more harm than good
The goalpost is moving. Assisting the destruction of the 'net is going to leave Tor more vulnerable than they have ever been. My money is on someone identifying BestBuy, he has accumulated too many enemies.
Punishable by death (Score:4, Insightful)
This kind of thing should be punishable by death. No, I'm not kidding. Death, or 20 years with no chance of parole.
When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.
And worse yet, these things will only get more powerful...how long until the US is seriously plagued by one or more of them fucking up the economy, crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?
Most of you reading this would lose your jobs if the net was crippled for a month or two by one of these fucking botnets, and what happens when 5 or 10 of 50 players, some funded at the state level, all get involved?
Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?
Better punishment (Score:1)
Force all their internet through a proxy that routes everything to goatse for the next 20 years to life.
I can almost hear them screaming:
"My eyes, they burn, kill me now, please kill me now."
Comment removed (Score:5, Insightful)
Re: (Score:2)
If there are things that are dangerous, you see to it that they are not dangerous any more. You force companies to deal with safety.
I'm sure the thousands of fly-by-night Chinese manufacturers making this stuff will jump to attention and immediately follow our demands to make their shit safe.
Re: (Score:2)
Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in. Sure, that would need to be done in a lot of countries, but a concerted effort is the only thing that helps anyways.
Re: (Score:2)
Block it at the borders. Customs still has authority over what gets into the country via legal channels. It is not like these IoT devices were smuggled in.
And who will do all of the testing required to make sure that all of these devices are safe or not exploitable? Where will the manpower come from to find and test the millions of devices that come into the country?
I agree that companies should be held responsible for insecure hardware, but it's a moving target that's going to be nearly impossible to hit again and again and again.
Re: (Score:2)
IMO, the only practical way to combat this would be to create a vigilante botnet that bricks everything it infects.
Re: (Score:2)
And how does that happen, say, for children's toys containing lead? The problem seems to be pretty similar to me...
We are not talking about hard to find vulnerabilities either. We are talking things like telnet-access, default-passwords, no-passwords and no update possibilities. All not hard to determine.
Re: (Score:2)
Re: (Score:2)
Very much this. The script-kiddies are at best vandals. Vandals are never the root-cause of a problem, they are just an annoyance. Those that allow this to happen when they could prevent it are willfully endangering critical infrastructure and that is just completely unacceptable.
Re: (Score:3)
When one or two dickheads with a botnet can knock an entire country offline, there should be severe repercussions. That's terrorism by any definition.
Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.
crippling emergency services and police response, interfering with hospitals, and hampering commerce in general?
Maybe try a technical solution to a technical problem, like not having publicly accessible Internet for critical infrastructure.
Now the death penalty or 20 years hard time doesn't sound so outrageous, does it?
Yes it does, your a crazy extremist
Re: (Score:2)
Its not terrorism by any definition, terrorism is using violence or threats of violence to achieve a political goal.
Then maybe it's time to update the definition. It sure sounds and smells like terrorism to me. Crippling an entire country's economy and infrastructure seems like a violent act, even if it's done through a keyboard.
-
Yes it does, your a crazy extremist
First of all, it's "you're", and second, what's your point? It's okay to fuck over an entire country and potentially cause thousands of deaths, but I'm the extremist when I say we should lock the perpetrators up for 20 years?
Re: (Score:2)
There needs to be a political goal for it to be considered terrorism.
The law is based on precedents and consistency in judgements, reinterpreting legal definitions because your afraid is just terribly selfish. Why cant you just use other words ?
If someone sabotages equipment that leads to thousands of deaths, then there are other laws to cover that.
The law should not be used as propaganda
your, your, your, your :)
Re: (Score:2)
Why cant you just use other words ?
Fine, use other words if that makes you happy.
The Internet is not designed for 100% reliability. (Score:2)
The network itself may have a pretty good track record of never totally falling over, but there is no guarantee at any given moment that there will be connectivity where you are, right now. Networks and entire countries can be cut off, and an emergency responder had best assume in a SHTF scenario that data service will be intermittent to completely unavailable. What happened to the radios in the cars? Those won't just stop working (unless it's an EMP attack, but what good is a network connection if all your
Never let a good crisis go to waste (Score:1)
One of my jobs in the past, was crisis potential utilization.
we didn't generate a crisis. But we noted where potential problems existed, then take actions 3 steps removed to influence other pieces to get closer. Say you find a mop closet storing petrol, ether etc. having people work there who are inclined to be lazy & not be thorough or safe is a good start. having it appear as a convenient spot to smoke is a good next step. Whatever happens next, the only real job is to clean up the situation, discredi
Re: Punishable by death (Score:1)
Re: (Score:2)
Difficult to identify, catch, jurisdiction problems in foreign countries...
So was Bin Laden and we buried that motherfucker at sea.
Re: (Score:2)
The tiny problem with that is that penalties have zero preventative effect. Criminals do not assume they will get caught. Hence while this does serve a primitive desire for revenge, it will not do anything about the problem at all.
In addition, the penalty is quite out of proportion to the crime. In fact, the actual access will not even be a crime in many legislations, because the devices were not secured at all, no hacking needed. The real problem is badly secured and not-secured IoT devices. If you put ope
Re: (Score:2)
The tiny problem with that is that penalties have zero preventative effect.
Actually, this isn't wholly true. It's a popular misconception that that penalties don't change behavior. Penalties do have some effect, although there will always be those who will take the risk. For example, would you sell or smuggle drugs if there was no penalty? How about committing fraud, or theft, or murder? A lot of people would do those things if there was no penalty, but many of those people look at the downside of getting caught and opt not to do it.
And frankly, prevention isn't necessarily the en
Re: (Score:2)
You need to have a serious look into the literature. Nothing you propose works. And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?
Re: (Score:2)
And, incidentally, how is prevention not a goal, when getting one guy just frees up the whole bot-net to be grabbed by the next one?
No problem, we'll house the "next one" in the cell next door to the first one. (Or the next empty cemetery plot.) And so on. Just because we can't prevent it doesn't mean there shouldn't be penalties, right? That's what 99% of the laws on the books are all about- punishing offenders, not preventing them from committing crimes.
I already said that some people aren't deterred by the threat of death or imprisonment, but that's going to be their problem when they get caught, not mine. Locking them up (or lopping
Re: (Score:2)
So you do not mind the problem persisting as long as you can brutalize or kill a few people? Talk about a cave-man mindset.
Re: (Score:2)
So you do not mind the problem persisting as long as you can brutalize or kill a few people?
Are you saying we shouldn't punish people for committing crimes? That seems stupid and naive.
Re: (Score:2)
Re: (Score:2)
If a bunch of teenagers can crush an economy, then the foundation of that economy is faulty.
If a bunch of teenagers can burn your house down, is the house faulty?
Everything is "faulty" in one way or another, but that doesn't give anyone a free pass to destroy it.
Improve consumer firewalls (Score:4, Interesting)
It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.
If you want to allow your thermostat to talk to a specific external host then punch a very narrow hole in the firewall to allow it.
Heck, I would go so far as to put everything on the LAN side in its own DMZ. If you want your PC to talk to your media player, punch a specific hole in the firewall.
This will require industry cooperation:
* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
* ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off. If you use one of these new routers, it's much less likely that bad things will come out of your network."
Re: (Score:1)
I love when people think ISPs will willingly deny themselves money for altruistic reasons,
Or lawsuit-prevention reasons.
How soon before someone successfully sues an ISP for failing to cut off someone once they are notified their customer has a bot or other malicious machine on his LAN?
Re: (Score:2)
It's time for consumer firewalls to be "block all by default" in all directions, not just WAN-to-LAN.
Sure because users are that clued on in IT stuff now. They can't even change their default passwords but they'll manage a firewall no problems.
* Protocols will have to be developed so "punching holes in firewalls" becomes super-easy for the consumer
Something like UPnP? Yeah let's develop a firewall along with a protocol to punch holes through it automagically.
ISPs will have to start telling customers "if bad things come out of your network, we WILL cut you off.
Tell customers that they will cease being your customers and you don't want more money from them? When has something like this every had the cooperation of industry? ISPs are fighting against cutting customers off when they have legal requirements to do so
Re: (Score:2)
LOLWTF? Does nobody use hubs or switches anymore? It seems to me the best way to keep my LAN data from leaking out my WAN is for the router to not be involved in transmitting it at all...
Typical precursor to heavy-handed legislation (Score:4, Interesting)
Result ? Among others the DMCA. Various individuals were sued into bankruptcy by the music industry, just to show people what the risks were (remember single mother Jammie Thomas ? See: https://en.wikipedia.org/wiki/... [wikipedia.org]) . Some were driven to suicide (see https://en.wikipedia.org/wiki/... [wikipedia.org] ).
What shouty nerds tend to forget is that (like it or not) they are part of a society that can (and does) sets certain limits on their behaviour. Which can be enforced. With or without their consent.
Tor routers can be a force for the good (avoiding censorship, protecting human rights activists, protecting investigative journalists) but they really _can_ be eradicated, given sufficient incentive.
Just outlaw the servers, force ISP's to scan all Internet traffic for TOR servers, log any connections and isolate / report them as soon as they're detected. Send a SWAT team to visit anyone who connects to a TOR server to seize their computers pending investigation. Set penalties sufficiently high to pay for all that and publicly sue a few tens of offenders into bankruptcy.
Should cow 99% of all TOR users, right? The 1% who aren't cowed are probably up to no good anyway.
A bit like China. Not pretty, and people won't like it, but it really can be enforced.
The detection and tracking part is already in place. Just consider the raft of deep-packet inspection routers that has been installed already (see https://en.wikipedia.org/wiki/... [wikipedia.org] ).
I'm not saying I'd like to see something like that (I wouldn't). All I'm saying is that stupid and venal abusers like this a**hole botnet operator make it that much more likely that something like that will occur. Whether we realise it or not. To the detriment of us all.
Re: (Score:2)
You can. And you can even read up on how to do it right. Add cover-traffic, and there is no way to ever identify where commands have been inserted into the bot-net. You lose a bit on the real-time control side, but not much. Using Tor here is a _convenience_, it is not a _necessity_.
Massively misinformative article (Score:3, Informative)
2) Zyxel SOAP RCE probes died down rapidly past 2 weeks. There is still some traffic (wget vizxv.pw/a if you're curious, note that you need actual wget user-agent), but the botnet is relatively small at this point.
3) As for general IoT botnets using telnet, running a simple cowrie honeypot will tell you that C&C method of current largest botnet is not Tor based, but bittorrent DHT based. The codebase appears to be unrelated to mirai, too.
All of the above can be fact checked using pretty simple tools - for TR-069 exploit simply listen with netcat, for telnet/ssh bruteforce use cowrie. Botnet size can be gauged accurately by sampling scan probes (mirai codebase sends 160 probes/s).
More TOR nodes? (Score:1)
Did not "hijack" Deutsche Telekom routers (Score:2)
Please get at least basic facts right in stories: It crashed these routers, but it did not get in, as the vulnerability exploited was not present. A DoS vulnerability remained unfortunately, and the port the service was running on was globally reachable. Bad, but not nearly as bad as being vulnerable to "hijacking".
An idea for tracking to identify people (Score:2)
Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.
No matter what kind of encryption used you can characterize streams by various types of signature. Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery. Finally on
Re: (Score:2)
Simply requires the cooperation of all ISP's. Law enforcement and spies have fought tooth and nail to maintain their right to collect "meta data". Nothing is more meta than identifying which two parties are talking to each other.
They sure have. I believe they are seizing and retaining the content as well if only with the excuse that it also contains metadata.
No matter what kind of encryption used you can characterize streams by various types of signature.
It is a good thing that nobody would duplicate the signature of an already well known and secure encryption solution which is already used for routine connections.
Second ISP's could be compelled to implement IP packet tracking at the protocol level to pad something like a serial number to every stream but strip it out before delivery.
This is easy to defeat at a cost in only bandwidth and latency. Completely anonymous communications are possible where every piece of metadata is recorded and the increased cost in bandwidth means that there will be
Re: (Score:2)
Re: (Score:2)
That's the dumbest idea I've heard yet for a solution to this. You can't ban something from the internet on an application basis, (and yes, IoT is just another application as far as the internet is concerned) otherwise that sets a precedent for banning practically anything that governments or whoever doesn't like. The MPAA for example would be able to justify banning things like youtube and bittorrent.
Re:Time to outlaw the IoT (Score:5, Insightful)
So when another bone-shatteringly ignorant reporter mentions "botnet of IoT devices", smack him around the head with a large trout until he mentions which devices were actually compromised. Types and brands of devices, devices running a certain kind of OS or firmware, or using a specific iOt platform / board / chip. And if you tell us that the IoT is a stupid idea, please enlighten us and let us know which "things" should be kept off the internet.
Re: (Score:2)
Re:Time to outlaw the IoT (Score:4, Insightful)
Why not ban crappy routers?
Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.
Did not work with mail (Score:2)
Re: (Score:2, Insightful)
The various government levels do in fact decide what consumers get. Or would you rather not have standards for manufacturing and operating airplanes, cars, trains, drinking water systems, food safety, etc? That's 3rd world, not America.
Same thing with consumer protection laws, other laws, the courts, etc. Or would you rather your local 3rd-world warlord dictate the law according to their whim?
BTW - the FCC already dictates router specs.
Re: (Score:2)
Why not ban crappy routers?
Because banning stuff is idiotic public policy. If the market decides what consumers get, you end up with America. If the government decides, you end up with North Korea. Unless a product violates specific enumerated criteria like using lead paint, the government should stay out of it. If you let the government control router specs, you are going to have the NSA in your bedroom.
I already have a Nightly Snoring Asshole in my bedroom...
Re: (Score:1)
I think we can specify an enumerated criteria as not persistently sending out harmful/malicious traffic to the public internet. I don't care if YOUR network gets hacked, but when your network attacks my network, it's my problem. At that point, I think you can justify some intervention (not necessarily government, maybe ISP, but something). If a PBX (private telephone exchange) got hacked and started making hundreds of calls to 911, you can bet people w
Re: (Score:2)
That includes making sure ISPs block traffic attempting to leave their network that claims to be from outside their network.
How would that work? Most of the big ISPs are transit providers, they can't block that traffic at the border. I suppose they could block it at the home portion of the network, but that would cause them to have to process rules on massive amounts of traffic, making the routers 10x the price, over the entire network.
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
The other day I got a notification from the domain registrar that also hosts email for my domain: "Account X on your domain has been used to send loads of spam through our SMTP server, so we are suspending your access to that server until you resolve the problem". Bad news, but good that they actually monitor this server and notify
Re: (Score:2)
If the product is known to have more holes than a slice of swiss cheese, why not an outright ban? Once manufacturers learn the hard way that customers are going to avoid their crappier products and demand refunds, they'll either get out of the business or fix the problems in future products. Either way, problem solved.
That's supposed to be how the invisible hand of the market is supposed to work.
Re: (Score:1)
let us know which "things" should be kept off the internet.
To prevent Mirai, things with default passwords. Any (accessible) Linux device with a common user/password will be infected within minutes of being connected to the Internet.
Re: (Score:2)
You didn't even read the blurb, did you? 900,000 routers. Should we ban routers now?
Absolutely yes. Any router that is easily p0wned should be banned. How could you be against that?
Re: (Score:2)
It's "pwned," you idiot! You sound like a damn fool when you say it wrong.
Re: (Score:2)
Re: (Score:2)
It's "pwned," you idiot! You sound like a damn fool when you say it wrong.
Guess the GP didn't drink his Pwn Tang this morning.
Re: (Score:2)
Sorry. Should have been her, not his. Didn't catch the error in time.
Re: (Score:2)
Even better? How about Pwn Tang provided in their own tea bags? The ultimate gamer geek victory drink. :D
(And yes, I am aware I am totally murdering the rules of sentence structure and punctuation this morning. But as we say in the Duchy of Don't Give a Shit though; at least when we are posting first thing in our waking day while still working on that first cup of coffee, "Frankly my dears, I don't give a shit.") ;)
Re: (Score:2)
"Any router that is easily p0wned should be banned."
This isn't necessarily known until the vulnerability is found, are routers to be banned on the basis of whether they have the latest firmware update? If you ban a router that doesn't have the latest firmware update then it's potentially much harder to then download the firmware update.
What would an ISP do, disconnect all of it's customers the moment a vulnerability is found in their routers? Doesn't seem like a good idea to me.
If the vulnerability is in a
Re:Time to outlaw the IoT (Score:4, Insightful)
The "Internet of Things" was a stupid idea, so why not just ban it once and for all?
Overall, I think the idea is sound, although the lighting example you gave is a silly consequence of marketing gone awry.
A good example of IoT would be if your household appliances worked in concert with the Electric Company so power generation could match expected usage and the consumer could operate their devices when power was cheapest.
Unfortunately, the implementation of these devices so far has been horribly botched. Anything network-facing should be build with security in mind first, and functionality to follow. That's not what happens. Marketing sells features, not bugs, so what gets implemented is the bare minimum functionality that was sold, and security be damned.
Re: (Score:2)
Re: (Score:2)
Re: (Score:3)
We already have time-of-day electrical pricing to shift demand, without needing any IoT crap, and it works just fine.
Er no. No it doesn't. It barely works. Fine is not a metric anyone in the energy providing industry would use right now.
Re: (Score:2)
Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here. A reduced rate all summer and whenever the outside temperature is above -12C, and a (much) higher rate when the outside temperature goes below -12C. People shift doing their laundry (hot water, electric dryer) to take advantage of off-peak rates. After all, who wants to pay double or more when they can delay it until the daytime when it gets warm enough for the rate to go down?
By the same tok
Re: (Score:2)
Well, maybe you don't have electrical meters that allow for it, and offer it as a customer option, like we do here.
Oh no we most definitely do. Variable pricing, peak / off peak times, on / off peak circuits. We got all that. It is barely working. The change it has made on the broad industry has been minute at best because it is behavioural and ultimately still manual. People don't dedicate a lot of time for minimal savings and cry for regulation when the expenses become too high. A true smart grid can offer so much more which is primarily why it is industry driven as a solution to the very real problems they are facing
off-peak-only hot water heaters (Score:1)
Decades ago some cities had houses with 2 electric meters.
One fed the hot water heater (the kind with a tank) but the power company would turn off the electricity for, say, 15 minutes at a time on a "rolling" basis during peak usage. In exchange, the "hot water heater" electricity rate was lower than the regular rate.
Since hot water stays hot for a long time, you wouldn't notice it unless everyone in your house was taking a long shower at the same time the power was cut.
Oh, and since this was decades ago,
Re: (Score:2)
Re: (Score:2)
Thats trendy new inner city "internet" jobs in the USA supporting US device and products.
Its not the fault of the small US start ups teams trying to get their products and rental services online.
To fix the IoT networks just get the vast majority of AV brands to test local networks an
Re: (Score:2)
The "internet of Things" was a stupid idea, so why not just ban it once and for all?
What makes you say that?
Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch.
Oh right. Ignorance made you say that.
The world would be a better place either way.
False. Maybe look at what IoT actually is in the grand scheme of things instead of just assuming it's your internet connected kettle and shitty lights that change colour before you talk about banning something.
Re: (Score:2)
Let's look at one example - remote managing of a tank farm. It's been proven that all you need to do to take the complex over is a device plugged into the local network. Since there's nobody around to see suspicious activity (and don't start with the whole IP TV cameras bs - even if you saw someone doing something, the response time would be a lot longer than someone on site, so inherently not a deterrent.) So, take control of one of the pumps, fill up a tanker, disconnect and drive off. All the remote loca
Re: (Score:2)
So your plan is to pay a homeless person minimum wage to sit and keep an eye on your TV. Sounds much more expensive than just having insurance and buying another TV. Maybe investigate training the dog to call the cops.
Never said that, so don't put words in my mouth. A dog on the premises is cheaper and better, and works for table scraps and dog food. Also, dogs can hear someone before you can, and can tell just by the sound of their walk if it's a friend or not - and growl accordingly as required.
Place I was working at, they had 2 German Shepherds that roamed the premises at night. A former employee broke in to rob the place, they let him get in, no problem. Then they made sure he didn't leave unto someone showed up.
Io
Re: (Score:1)
The "internet of Things" was a stupid idea, so why not just ban it once and for all? Or create a separate internet just for people who want such stupidity as turning on their lights without getting off the couch. The world would be a better place either way.
are you trolling or serious as I'm not sure? Just because you don't see the appeal of something isn't a reason, it is an opinion, and doesn't help much anyway since if you need enough sec news you'd see smart things are a very small portion of that iot botnet numbers. Iirc webcams where one of the biggest in the latest analysis. The actual issue is many vendors have no incentive to secure their products. I don't mean they are not properly hardened I mean they don't do ANYTHING to even try to.
The vendors
Re: (Score:2)
Re: (Score:1)
Elsewhere I mentioned other IoT product that are flawed, such as DVR video security systems with remote monitoring (thieves will be gone before the cops get there), remotely-administered fuel pumps (already hacked), and a few other things. IoT is fundamentally flawed.
Don't get me wrong I totally agree they are flawed, and for all my sarcasm my own opinion is very similar but that doesn't mean there isn't value in it for others. I personally feel most of those things add more problems than they solve and are net connected for the wrong reason.Jjust connecting things to the net that don't need to be, and where the wireless is necessary and you need smart versions keep it on intranet would work for most the applications. However my feelings wont ever fix the issue, just li
Re: (Score:2)
You clapped your hands, which is why it was called "The Clapper." :-)
Re: (Score:2)
Indeed. Tor is not the problem here. Anybody running a bot-net can already implement command-insertion in such a way that a command can be sent to any member-note and then gets distributed. That is basically untraceable if cover-traffic is also added. It takes a tiny bit more effort in implementing this though.