2 Million IoT Devices Enslaved By Fast-Growing BotNet

An anonymous reader writes: Since mid-September, a new IoT botnet has grown to massive proportions. Codenamed IoT_reaper, researchers estimate its current size at nearly two million infected devices. According to researchers, the botnet is mainly made up of IP-based security cameras, routers, network-attached storage (NAS) devices, network video recorders (NVRs), and digital video recorders (DVRs), primarily from vendors such as Netgear, D-Link, Linksys, GoAhead, JAWS, Vacron, AVTECH, MicroTik, TP-Link, and Synology.

The botnet reuses some Mirai source code, but it's unique in its own right. Unlike Mirai, which relied on scanning for devices with weak or default passwords, this botnet was put together using exploits for unpatched vulnerabilities. The botnet's author is still struggling to control his botnet, as researchers spotted over two million infected devices sitting in the botnet's C&C servers' queue, waiting to be processed. As of now, the botnet has not been used in live DDoS attacks, but the capability is in there.
Today is the one-year anniversary of the Dyn DDoS attack, the article points out, adding that "This week both the FBI and Europol warned about the dangers of leaving Internet of Things devices exposed online."

Botnet mining

[BeerCat]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

Re:

[olsmeister]

How long until manufacturers build in cryptocurrency mining into their stock firmware to use that extra processing power, phoning home periodically to 'recieve updates'?

Re:

[Opportunist]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Re:

[sysrammer]

That's probably the only way the makers of this insecure junk could be assed to up the security, when hackers redirect their mined coins.

Quoted to highlight the benefits of Enlightened Self-Interest.

Re:

[EvilSS]

Using botnets to do DDoS attacks is so passé. It may be satisfying for the perpetrators (Ha ha! Site [my enemy] is down!), but no different from the 1980s "my virus will delete all your files"

With most IoT devices having more processing power than they actually need, I wonder how many have been hijacked to become cryptocurrency mining operations, which will quietly run away, building up, with no-one really keeping an eye on them

These devices are being used as part of a DDOS as a service scheme. The botnet owners act as the wholesaler, and people setup sites to sell time and bandwidth from the botnet provider to individuals. It's a huge problem in the gaming community due to cheap ass gaming companies using P2P matchmaking in multiplayer (vs using dedicated servers). Players will pay a few bucks and knock off their opponents in matches, or target streamers on Twitch, Beam, Youtube Gamine, etc.

Re: Botnet mining

[Monster_user]

P2P is good for smaller games, and unranked matches. Especially when it is friends chillin'.

Dedicated servers are superior for larger games, especially MMOs. As well as ranked games where cheating actually "matters".

Re:

[waTeim]

It seems necessary then to deal with those same handoffs (but even more latency inducing) in some novel way.

Re:

[EvilSS]

As long as you have a decent regional distribution of servers (which most big games could easily do) it evens out network lag between users. P2P will almost always benefit the high-latency users due to how most games handle lag compensation, and it makes it more likely that there will be a large delta in latency to the host between players. I play plenty of games that do both and P2P is always frustrating when dealing with high-ping players.

It's also more open to abuse. It's always fun when a player rage

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Opportunist]

Why exactly should they learn anything?

Did the customer buy it? Check.
Did he return it? Nope.

What exactly is the problem the manufacturer could possible have?

Re: I just hope they learn from past mistakes....

[Monster_user]

The device made it beyond the 15 day return period before being exploited. And who is going to notice this problem before the 1-year warranty runs out that would buy such a device and run it on an unsecured network anyway.

Good

[NicknameUnavailable]

Few things have irritated me as much as the mere concept of IoT. The sooner it dies the less spyware we will have.

Re:

[DontBeAMoran]

I think the worst part of the internet is that any moron can post his opinion online.

I've never used...

[Anonymous Coward]

...the Internet, Hell I don't even know where to find it!

Re:

[Opportunist]

Opinions don't hurt. Opinions are great, I needn't share it, and instead I can point out to some idiot why his opinion is crap.

The worst part is that anyone can hook his insecure, unpatched garbage onto the net and people are no longer connected via dialup with those infrastructural systems that "count" having multiple gigabits of bandwidth available to them, making the impact an idiot with a botnet sheep running 24/7 at his home ("because those torrents take forever, broadband MY ASS!!!!111!1!") insignific

Re:

[DCFusor]

Agreed. I cared enough to do something about it. Created a LAN of things - no internet presence at all, for myself. I only need automation for my place, not some data-monetizer (or worse, rent seeker or just go out of business) inserted into my stream. And then there's security.
.
But first, imagine a world where one of these jerks comes along with "and now you'll pay rent or I'll stop making your home work".
Abandonware is bad enough as is.
Signed code won't mean diddly here. If there's a way to make

Re:

[NicknameUnavailable]

The internet isn't bad, the IoT is bad. The distinction being that the IoT consists of many thousands of distinct devices made mostly by hacks who don't know how to program which all independently try to call home for various purposes (usually spying on your with whatever sensors they have available for marketing and similar purposes) while simultaneously opening backdoors into your network by registering as a client to your firewall while making outbound HTTP requests to get data out and commands in. The

Re: Good

[Monster_user]

The price of progress.

Otherwise, are we going to put a stop to innovation? These IoT things are experiments, up-starts, looking for something we didn't know we needed which will improve productivity and efficiency exponentially. They typically don't have the budgets in their projects to do IoT the right way.

Vulnerabilities in IoT is a big problem, but is it a big enough problem to allocate resources to fix?

Re:

[NicknameUnavailable]

It's not innovation, it's spyware. There's zero reason for a thermostat or fire alarm to recognize hand and voice gestures - that's just the excuse Google gives so they can bundle a camera and microphone into it with an always-on wi-fi connection via the GSM network. But hey, GSM is totally free and not enormously expensive - oh wait, a camera in all your rooms provides data which pays for the bill.

Re: Good

[Monster_user]

Perhaps not the fire alarm. Such critical devices as a fire alarm should be isolated and simple, but effective. An IoT fire alarm is the worst thing ever.

The thermostat is a great asset. I've been considering something like that myself, once I get a central AC unit installed.

Also, its one step closer to the USS Enterprise D and voice activated everything. Which is both cool and scary at the same time. Star Trek TNG: Contagion is a good IoT episode,...

Re:

[Opportunist]

Why exactly would it die?

Manufacturers can sell it and are not legally responsible for their crapware.
People are dumb and buy it, not understanding what's going on.
Damage is done to someone who cannot influence buying/selling of those things.

So what reason would you see for this to cease?

Re: Good

[Monster_user]

Actually, under the circumstances, regarding what the discussion is about, yeah, that is a true statement.

At leadt in the USA.

Re:

[Opportunist]

Could you show a single case where someone managed to tack the damage done onto the culprit, i.e. the idiots making the electronic garbage?

Re: It's not all IoT?

[Monster_user]

No its not all IoT. IoT devices just are less likely to be maintained by the manufacturer.

With a NAS or router, the response has been to blame the user. They should either patch the firmware, or switch to a manufacturer which supports the product after the sale.

With IoT devices, there is little to do but pine for the good old days when nerds wrote their own firmware, and the commoners new nothing of technology. And wait for the IoT zombie botnets to attack a high enough value target so as to get somethi

Re:

[viperidaenz]

krack doesn't "enslave" wifi devices. It allows the encryption to be broken.

I would take a guess and say it hasn't, at all.

Re:

[fisted]

Same here, not affected. All my IoT thingymajingies still work fine, including the house alarm and door locks.

That's wonderful, but on a more important topic...

[DivineKnight]

That's wonderful, but on a more important topic, has Microsoft gotten around to fixing their bootloader for Windows 10 IoT, such that we can (God please) finally boot off of a USB hard drive (read: SSD) on something like the Raspberry Pi 3 (which just needs a quick config change to make happen, and is already supported by many linux distros), or are we still going to be stuck with read speeds that an ATA-100 hard drive (not even ATA-133...) could beat?

Re: That's wonderful, but on a more important topi

[Monster_user]

Tomaeto, Tomahtoe.

Make Raspberry Pi's easy to deploy with Windows 10, and you might just solve your IoT problem. Depending on the W10 implementation. Maybe go with Azure AD?

Re:

[DivineKnight]

Uhh, let's see here...Botnets are as common as grass, and nothing to freak out about. If you've been even glancing at IT trade mags for the past several years, you already know how to deal with the ensuing DDOS attacks. There are even services, mentioned right here on /., that proudly advertise that they won't boot you if you are the target of the DDOS attack, because they know now how to handle them, with ease.

So at best, this is more of a last mile problem: the owners of said devices are likely to have im

Powerrrrrr!!!

[tsa]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

Re:

[Opportunist]

Not strange at all, the chips are just cheaper.

I kid you not. You can currently get chips with more features and faster processing speed cheaper than "older" chips with less. Mostly because the price of chips is mostly fixed costs and it costs about the same to make either of them, so making the more powerful one that outdoes or at least is on par with the competition's chip makes sense, else people will buy theirs and not ours.

Re:

[viperidaenz]

Not really.

Re:

[tlhIngan]

These IoT thingies have more power than the PC I had 15 years ago. And many of them do hardly anything with it. That is just... strange.

You can thank smartphones for that, which have driven down the cost of embedded processors significantly.

When I started, a 200MHz StrongARM processor was considered high end, and 400MHz processors were on the way. If you're lucky, they had 32MB of RAM. At the time, the average desktop was 500-800MHz with 128-512MB of RAM. You wouldn't dare run desktop applications on the em

It is time to start fining the culprits

[QuietLagoon]

Anyone who enables an insecure IoT device, and that device is found to be part of a botnet should have to pay a fine.

Re:

[QuietLagoon]

There are many what if's. But instead of sitting there throwing criticisms, what do you think needs to be done to resolve the lack of secuirty of IoT devices?

Re:

[Anonymous Coward]

Sheesh, what an elitist fuckwit.

So come on then brains, tell all of us ignorant consumers how we're supposed to check with 100% certainty that a network enabled device is secure ?
  And what do you define as a 'device' ?
Does that go as far as regular desktop/laptop computers? If not, why do they get a special exemption from being allowed to be part of a botnet ?

Re: It is time to start fining the culprits

[Monster_user]

I pay the device manufacturer, Maytag for instance, to not be ignorant for me. Its called delegation.

Time is money. If I'm buying an IoT device, I'm buying it to reduce the amount of time I'm having to spend micromanaging it.

Re:

[fisted]

The device manufacturers know they get away with it, so at the end of the day, you're still SOL.

Almost like Toy Story

[bobstreo]

The Cloud is My Master.

So does this mean I need a firewall in front of my cable modem?

...and linux Servers

[gravewax]

I noticed the summary conveniently left of the very last item in the list of the article of affected devices "and Linux servers".

Re:

[HiThere]

The "and Linux servers" referred to devices being attacked, not to ones that were part of the bot-net.

I'm going to give you credit for good intentions, at the cost of considering that you lack reading comprehension.

Re:

[HiThere]

I'm sure they are. There wouldn't be much purpose in attacking them if there weren't some way to use them...at least some of them. Some systems aren't patched and kept up to date, and those frequently have known vulnerabilities. But that's not what the article is about.

monetize

[PopeRatzo]

This explains why my thermostat is now mining Bitcoin.

Re:

[Opportunist]

Lucky you. Mine just went to 100F and demands 2 Bitcoins to set it back to normal levels.

Re:

[h33t l4x0r]

That's nothing. Mine's been posting fake news stories to Facebook since last year.

Re:

[fisted]

T_SET 68F T_MEAS 67.5F ALL SYSTEMS NOMINAL PLEASE MOVE ALONG NOTHING TO SEE HERE FELLOW HUMANS

o o o o o o o o o o o o o o o o o o o o o o o o o o o

Rename IOT to IDIOT

[knorthern knight]

Insecurely Designed Internet Of Things