Security

Source code unleashed for junk-blasting Internet of Things botnet

Hackforums leak

By John Leyden

65 SHARE

Malicious code used to press-gang IoT connected devices into a botnet was leaked online over the weekend.

The Mirai malware is a DDoS Trojan and targets Linux systems and, in particular, IoT devices. A botnet formed using the malware was used to blast junk traffic at the website of security researcher Brian Krebs last month in one of the largest such attacks ever recorded.

The powerful zombie network that spawned a 620Gbps DDoS was created by relying on factory default or hard-coded usernames and passwords to compromise embedded devices. The availability of the Mirai source code makes it much easier for other hackers to take advantage of insecure routers, IP cameras, digital video recorders and other IoT devices to launch similar attacks.

Security blogger Hacker Fantastic, who has put together an informative early analysis of the malware, summed up the feelings of several security researchers who have looked at the code. “If all it took to create biggest recorded DDoS attack in history was a telnet scanner and 36 weak credentials the net has a huge IoT problem,” he said on Twitter.

Stephen Gates, chief research intelligence analyst at NSFOCUS, argued that the problem of consumer kit with default passwords needs to be resolved sooner rather than later or else more and perhaps more widespread attacks along the same lines will become inevitable.

“Soon we may see DDoS attacks that are capable of taking down major portions of the Internet, as well as causing brownouts, creating intolerable latency, or making the Internet unusable,” Gates argued. “This is all collateral damage caused by a failure of good judgement by using the same factory default passwords on IoT devices in the first place."

"Why do many IoT devices use default passwords? Simple; when manufacturers build this type of technology they make it as ‘user-friendly’ as possible. Just plug it in and often it works. The real intention of the decision to ship every device with the same username/password is primarily designed to reduce customer support calls; which costs manufacturers money,” he added.

Reiner Kappenberger, global product manager at data security firm HPE Security, argued more guidance for IoT manufacturers was needed.

“The current lack of guidance and regulations for IoT device security is one of the bigger problems in this area and why we see breaches in the IoT space rising,” Kappenberger said. ”Companies rush product to market that have been developed by teams that are solely focusing on functionality. They use protocols and tools that have not been thoroughly vetted from a security standpoint as the small amount of storage in those devices poses limitations to the software elements they can use. Companies entering this space need to think about longer term impact of their devices.” ®

Sign up to our NewsletterGet IT in your inbox daily

65 Comments

More from The Register

'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

New variant of 'Tsunami' is a disaster waiting to happen

Security MadLibs: Your IoT electrical outlet can now pwn your smart TV

McAfee finds new way to break thing that shouldn't be on your home network in the first place

Another IoT botnet has been found feasting on vulnerable IP cameras

Children, please welcome Persirai to the class

Are your IoT gizmos, music boxes, smart home kit vulnerable to DNS rebinding attacks? Here's how to check

Fancy website, code emitted – Roku, Google, etc stuff at risk

IoT shouters Chirp get themselves added to Microsoft Azure IoT

Now your devices can join you in bellowing at Redmond's products

Reaper IoT botnet ain't so scary, contains fewer than 20,000 drones

But numbers aren't everything, are they, Dyn?

The wheel turns slowly, but it turns: Feds emit IoT security tip sheet

Alexa! Are you part of a botnet?

IoT botnet Linux.ProxyM turns its grubby claws to spam rather than DDoS

I don't know which is worse

Bruce Schneier: You want real IoT security? Have Uncle Sam start putting boots to asses

Infosec's cool uncle says to hell with the carrot

IoT search engine ZoomEye 'dumbs down' Dahua DVR hijackings by spewing passwords

And noone wants to fix it