Meet Linux.Mirai Trojan, a DDoS nightmare

https://www.hackread.com/linux-mirai-trojan-a-ddos-nightmare/

46 Comments

  1. Tomi Engdahl says:

    Krebs Warns Source Code Leaked From Massive IoT Botnet Attack
    https://it.slashdot.org/story/16/10/02/2039229/krebs-warns-source-code-leaked-from-massive-iot-botnet-attack

    The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords. Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot…

    Now that the source code has been released online for that 620-Gbps attack, Krebs predicts “there will soon be many Internet users complaining to their ISPs about slow Internet speeds as a result of hacked IoT devices on their network hogging all the bandwidth. On the bright side, if that happens it may help to lessen the number of vulnerable systems.”

    Source Code for IoT Botnet ‘Mirai’ Released
    https://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

    Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

    Sources tell KrebsOnSecurity that Mirai is one of at least two malware families that are currently being used to quickly assemble very large IoT-based DDoS armies. The other dominant strain of IoT malware, dubbed “Bashlight,” functions similarly to Mirai in that it also infects systems via default usernames and passwords on IoT devices.

    According to research from security firm Level3 Communications, the Bashlight botnet currently is responsible for enslaving nearly a million IoT devices and is in direct competition with botnets based on Mirai.

    “Both [are] going after the same IoT device exposure and, in a lot of cases, the same devices,” said Dale Drew, Level3’s chief security officer.

    Infected systems can be cleaned up by simply rebooting them — thus wiping the malicious code from memory. But experts say there is so much constant scanning going on for vulnerable systems that vulnerable IoT devices can be re-infected within minutes of a reboot. Only changing the default password protects them from rapidly being reinfected on reboot.

    Reply
  2. Tomi Engdahl says:

    Brian Krebs / Krebs on Security:
    Source code behind IoT device botnet Mirai, responsible for DDoS of KrebsOnSecurity, publicly released by Hackforums user — The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) …

    Source Code for IoT Botnet ‘Mirai’ Released
    http://krebsonsecurity.com/2016/10/source-code-for-iot-botnet-mirai-released/

    The source code that powers the “Internet of Things” (IoT) botnet responsible for launching the historically large distributed denial-of-service (DDoS) attack against KrebsOnSecurity last month has been publicly released, virtually guaranteeing that the Internet will soon be flooded with attacks from many new botnets powered by insecure routers, IP cameras, digital video recorders and other easily hackable devices.

    The leak of the source code was announced Friday on the English-language hacking community Hackforums. The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default or hard-coded usernames and passwords.

    Vulnerable devices are then seeded with malicious software that turns them into “bots,” forcing them to report to a central control server that can be used as a staging ground for launching powerful DDoS attacks designed to knock Web sites offline.

    Reply
  3. Tomi Engdahl says:

    Mirai Botnets Used for DDoS Attacks on Dyn
    http://www.securityweek.com/mirai-botnets-used-ddos-attacks-dyn

    Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.

    The first attack started on Friday at 7 am ET and it took the DNS provider roughly two hours to mitigate it. During this time, users directed to the company’s DNS servers on the east coast of the U.S. were unable to access several major websites, including Twitter, Reddit, GitHub, Etsy, Netflix, PagerDuty, Airbnb, Spotify, Intercom and Heroku.

    A few hours later, a second, more global attack led to some users having difficulties in accessing the websites of Dyn customers. This second attack was mitigated within an hour. A third attack attempt was also detected, but it was mitigated before impacting users.

    Dyn Chief Strategy Officer Kyle York pointed out in a blog post that the company “did not experience a system-wide outage at any time.”

    Akamai and Flashpoint have confirmed that the attacks leveraged Mirai botnets and Dyn said it had observed tens of millions of IPs involved in the incident.

    Dyn Statement on 10/21/2016 DDoS Attack
    http://dyn.com/blog/dyn-statement-on-10212016-ddos-attack/

    It’s likely that at this point you’ve seen some of the many news accounts of the Distributed Denial of Service (DDoS) attack Dyn sustained against our Managed DNS infrastructure this past Friday, October 21. We’d like to take this opportunity to share additional details and context regarding the attack. At the time of this writing, we are carefully monitoring for any additional attacks. Please note that our investigation regarding root cause continues and will be the topic of future updates. It is worth noting that we are unlikely to share all details of the attack and our mitigation efforts to preserve future defenses.

    I also don’t want to get too far into this post without:

    1. Acknowledging the tremendous efforts of Dyn’s operations and support teams in doing battle with what’s likely to be seen as an historic attack.
    2. Acknowledging the tremendous support of Dyn’s customers, many of whom reached out to support our mitigation efforts even as they were impacted. Service to our customers is always our number one priority, and we appreciate their understanding as that commitment means Dyn is often the first responder of the internet.
    3. Thanking our partners in the technology community, from the operations teams of the world’s top internet companies, to law enforcement and the standards community, to our competition and vendors, we’re humbled and grateful for the outpouring of support.

    Starting at approximately 7:00 am ET, Dyn began experiencing a DDoS attack. While it’s not uncommon for Dyn’s Network Operations Center (NOC) team to mitigate DDoS attacks, it quickly became clear that this attack was different (more on that later). Approximately two hours later, the NOC team was able to mitigate the attack and restore service to customers. Unfortunately, during that time, internet users directed to Dyn servers on the East Coast of the US were unable to reach some of our customers’ sites, including some of the marquee brands of the internet

    After restoring service, Dyn experienced a second wave of attacks just before noon ET. This second wave was more global in nature (i.e. not limited to our East Coast POPs), but was mitigated in just over an hour; service was restored at approximately 1:00 pm ET.

    News reports of a third attack wave were verified by Dyn based on our information. While there was a third attack attempted, we were able to successfully mitigate it without customer impact.

    Reply
  4. Tomi Engdahl says:

    Twitter Account Shows Mirai Botnets Using Your Security Camera In Cyber Turf War
    http://motherboard.vice.com/read/twitter-account-shows-mirai-botnets-using-your-smart-fridge-in-cyber-turf-war

    In the wake of a major cyber attack that blocked access to popular websites along the East Coast on Friday, security researchers have created a Twitter account that posts live updates of ongoing distributed denial-of-service (DDoS) attacks being launched by massive armies of smart devices compromised by malware known as Mirai.

    The account, called Mirai Attacks, includes updates showing the IP addresses being targeted by the zombie botnets bearing the malware’s digital signature, which currently include over half a million infected Internet of Things devices like security cameras and smart TVs.

    https://twitter.com/MiraiAttacks

    Reply
  5. Tomi Engdahl says:

    Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS
    https://threatpost.com/chinese-manufacturer-recalls-iot-gear-following-dyn-ddos/121496/

    Hangzhou Xiongmai said that it will recall millions of cameras sold in the U.S. in response to Friday’s DDoS attack against DNS provider Dyn that kept a number of web-based services such as Twitter, Github and others offline for much of the day. The Chinese manufacturer sells OEM white-label circuit boards and software for cameras, along with DVRs and network video recorders. Many of these types of IoT devices were compromised by the Mirai malware, which exploits default credentials in the equipment and corrals them into botnets used and sold for DDoS attacks.

    The company said in its statement—translated via Google—that it would recall devices sold earlier and still in use, mainly one million cards used in network cameras, one million cloud network cameras, one million panoramic network cameras and 1.3 million network cameras. It believes only devices sold before April 2015 that have not been updated, are only protected by default credentials and are exposed to the public Internet are vulnerable. “(If) any of the above conditions are not met, Mai Xiong equipment cannot be attacked or manipulated so this attack had little impact on the actual use of male Mai device,” the company said in its statement.

    Level 3 Communications, a Colorado-based telecommunications company and ISP said the bulk of the traffic used in the DDoS attack was UDP/53 and TCP/53 with the TCP traffic consisting of TCP DNS SYN attacks, while the UDP traffic was subdomain, or prefix label attacks.

    Mirai could be a long-term menace. The source code for the malware, which was responsible for other massive DDoS attacks against Krebs on Security and French webhost OVH

    As of Friday, Level 3 said there were up to 550,000 Mirai nodes in the botnet and about 10 percent were involved in the Dyn attack.

    See more at: Chinese Manufacturer Recalls IOT Gear Following Dyn DDoS https://wp.me/p3AjUX-vBC

    Reply
  6. Tomi Engdahl says:

    Krebs has compiled a list of devices he says are responsible for the attack.

    Who Makes the IoT Things Under Attack?
    https://krebsonsecurity.com/2016/10/who-makes-the-iot-things-under-attack/

    The malware, dubbed “Mirai,” spreads to vulnerable devices by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords. Many readers have asked for more information about which devices and hardware makers were being targeted. As it happens, this is fairly easy to tell just from looking at the list of usernames and passwords included in the Mirai source code.

    Reply
  7. Tomi Engdahl says:

    Mirai Botnet Linked to Dyn DNS DDoS Attacks
    https://www.flashpoint-intel.com/mirai-botnet-linked-dyn-dns-ddos-attacks/

    Key Takeaways

    Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware.
    Mirai botnets were previously used in DDoS attacks against the “Krebs On Security” blog and OVH.
    As of 1730 EST, the attacks against Dyn DNS are still ongoing. Flashpoint is coordinating with multiple vendors and law enforcement to track the infected devices that constitute the botnet being used to conduct these attacks.
    Flashpoint will continue to monitor the situation to ensure that clients are provided with timely threat intelligence data.

    Flashpoint has confirmed that some of the infrastructure responsible for the distributed denial-of-service (DDoS) attacks against Dyn DNS were botnets compromised by Mirai malware. Mirai botnets were previously used in DDoS attacks against security researcher Brian Krebs’ blog “Krebs On Security” and French internet service and hosting provider OVH.

    Reply
  8. Tomi Engdahl says:

    Ask HN: How did Dyn fail to fend off DDOS?
    https://news.ycombinator.com/item?id=12769196

    I would like to remind those that think all is lost with this:

    A serious conversation with vendors about default passwords and backdoors post this incident will help prevent recurrence. This has forced this talk and we are better for it.

    There was a time when your windows box would get popped from being online for more than 4 minutes. We recovered from this. Conficker in 2008. Blaster in 2003. It was a ‘BIG BOTNETS OH NO’, but we cleaned up, recovered, hardened. Microsoft went from being botnet enabler to an active force in dismantling bots and crime rings. It sucks, and some of us have a bad day, but we recover ever stronger.

    XiongMai Technologies may well find themselves in some international hot water over this incident, and I think they deserve it. They sold a faulty product that caused billions of dollars in lost revenue to some very large internet properties for a day in October 2016. I would encourage vendors look at these incidents from last decade and how these were turning points for upping their security game. I would encourage its victims to investigate legal recourse.

    Specifically the current vulnerable nodes of Mirai, i am sure these will be removed from the internet pretty soon. One only gets to fire something like this a few times before the feds are on the door.

    Your regularly scheduled program will commence shortly.

    > US consumer law allows suing everybody in the supply chain

    IIRC, US consumer law requires the consumer to be the victim. (IAAL/NY, but not practicing) This restriction is called privity – the exceptions to privity are narrow, and no exception comes to mind here.

    In this case the primary victims, the online services, are third parties, with any consumer recourse blocked by privity.

    These third parties arguably have a couple options, though. The first and perhaps most theoretically interesting is the “class defence”, the procedural complement of a “class action”, where a few people (the third party online services) can sue multitudes (owner-operators responsible for malicious devices on the Internet) in a single process. Were such a case brought forward, these consumers could sue the manufacturers for indemnity. While as a litigator this makes the most theoretical sense, and this procedure exists in at least one jurisdiction I know of, I have never seen it tested.

    Arguably a better option would be for the third parties to sue the manufacturers for negligence, based on the obligation that the manufacturers have to the public.

    Any litigation is fraught with uncertainty though, not least of which is having a member of the judicial bench who is capable of properly evaluating the facts (which is not to say they are not out there, but they remain rare).

    Like most externalized costs, the recourses of affected individuals are slim and ineffective.

    > If Homeland Security tells the Consumer Product Safety Commission this is a national safety issue, the CPSC can order a recall

    Proper regulation is a better choice, IMHO, though I don’t know what the best process might be.

    gorbachev 3 days ago [-]

    That’s a game of whack a mole, and even if you whack them down, the devices are already out there and are going to stay online for years.

    The only thing that will make a dent at the problem quickly, is wholesale filtering of all Internet traffic by all network providers originating from the IP addresses identified for being part of these botnets.

    ryanlol 3 days ago [-]

    >The unfortunate truth is that with the Internet of Things the amount of devices that can easily be taken over has grown so fast that we see DDoS attacks of unprecedented size.

    Not quite, the “IoT” botnets are particularly small in the great scheme of things. Google “conficker” for example.

    Edit: Interesting how this is getting downvoted so much. Conficker had up to 15 million nodes, far bigger than any “IoT” net (when did home routers become IoT anyway?). It’s far easier to build such huge windows nets because you get millions of insecure computers with relatively standard hardware and software, not so much with “IoT”.

    In the past decently sized botnets simply weren’t used to send DDoS attacks as much, that’s all that’s changed.

    Silhouette 3 days ago [-]

    The real question here is whether there was anything they could realistically have done to prevent it at all.

    In order to defend against a DDoS attack, you really only have two options. One is to have sufficient capacity to cope with the extra load without undermining your normal service. The other is to reduce the amount of extra load you have to handle, by identifying and blocking the hostile traffic at some point before your main system deals with it fully.

    In this case, the scale of the attack was huge thanks to all the woefully insecure IoT devices out there. But worse, from the initial reports it appears that the requests being sent were effectively indistinguishable from valid DNS requests: they came from diverse sources, and asked DynDNS to do exactly what it’s normally supposed to do, just for random subdomains that don’t actually exist. Unless there is some pattern in those requests that allows for identification of the hostile incoming traffic so it can be dropped early, there’s probably very little DynDNS could have done here. And of course the attack is particularly effective because by taking out infrastructure rather than attacking a specific site, it brings down large numbers of high profile sites all at once.

    It is disturbing, but apparently the reality we face, that there are now so many hopelessly insecure devices on the public Internet that this is possible. The best long term strategy for dealing with it seems to be trying to improve the standards of Internet-connected devices and reduce the number of highly vulnerable devices with access to the Internet, but this was always going to be difficult with IoT products aimed at the general public. I suspect some sort of remediation/recall scheme for manufacturers/vendors and some sort of throttling of users’ Internet connections to force them to respond to security recall/update notices may be necessary if this kind of attack starts to become a pattern.

    beachstartup 3 days ago [-]

    i think there is a larger strategy at play. this is pure speculation and anecdote.

    recently there has been an aggressive uptick of dns ddos attacks against smaller companies/service providers that run their own dns infrastructure. this includes small/regional internet service providers and individual sites/hosts that still run their own servers.

    in almost all of these cases that i’m aware of, the smaller companies immediately outsourced their dns services to a larger company, one that ostensibly is able to either absorb, scrub, or otherwise defend against these types of attacks.

    extrapolating to a global scale, what’s happening is a forced consolidation of dns infrastructure into a handful of large players. even in the case of having redundant providers, it’s usually two very large providers. and as we just saw today, a terabit-level attack is not something we can readily defend against. what if there’s even more in reserve?

    in other words, we’re putting all of our eggs into one basket. and someone is aggregating enough attack capacity to take out nearly the entire internet at once. it doesn’t help that everyone is voluntarily consolidating their infrastructure onto a small handful of public cloud providers.

    we are setting ourselves up for a massive internet outage.

    inetsee 3 days ago [-]

    Hackers have started to use insecure Internet of Things devices, especially internet connected video cameras, to produce DDoS attacks larger than have ever been seen before. The KrebsonSecurity website was hit by a DDoS that was twice as large as the previous largest attack seen by Akemai, and there have been larger attacks since.

    The problem will continue, and may get even worse, since many of the insecure internet attached video cameras are insecure because of passwords hard-coded into the devices; they can’t be easily made more secure.

    meira 3 days ago [-]

    Probably they got beaten because of orders of magnitude. They were prepared, but not for cyber nuclear war.

    Reply
  9. Tomi Engdahl says:

    Mirai Botnets Used for DDoS Attacks on Dyn
    http://www.securityweek.com/mirai-botnets-used-ddos-attacks-dyn

    Experts determined that the distributed denial-of-service (DDoS) attacks launched last week against Dyn’s DNS infrastructure were powered by Internet of Things (IoT) devices infected with the malware known as Mirai.

    Reply
  10. Tomi Engdahl says:

    How many Internet of S**t devices knocked out Dyn? Fewer than you may expect
    DNS really needs to be fixed if it can be taken out by 100,000 home devices
    http://www.theregister.co.uk/2016/10/27/how_many_internet_of_st_devices_knocked_out_dyn_fewer_than_you_expect/

    With more time to analyse its logs, DNS provider Dyn reckons about 100,000 Mirai-infected home web-connected gadgets knocked it out last Friday.

    In its latest analysis, product executive veep Scott Hilton writes: “We are still working on analyzing the data but the estimate at the time of this report is up to 100,000 malicious endpoints. We are able to confirm that a significant volume of attack traffic originated from Mirai-based botnets.”

    Dyn earlier said gizmos hiding behind “tens of millions” of IP addresses were responsible, although stressed the actual number of hijacked webcams, routers and other gear that overwhelmed its servers would be much less. Now we know it’s about 100 large, leaving us wondering: “How did the attack succeed?”

    One reason, Hilton says, is that DNS itself can tend to amplify requests from legitimate sources: “For example, the impact of the attack generated a storm of legitimate retry activity as recursive servers attempted to refresh their caches, creating 10-20X normal traffic volume across a large number of IP addresses. When DNS traffic congestion occurs, legitimate retries can further contribute to traffic volume.”

    That “relay storm” provided “a false indicator of a significantly larger set of endpoints than we now know it to be”, Hilton explained.

    The same effect led to early third-party reports of the scale of the attack traffic: “There have been some reports of a magnitude in the 1.2Tbps range; at this time we are unable to verify that claim.”

    Reply
  11. Tomi Engdahl says:

    Killing Mirai: Active defense against an IoT botnet (Part 1)
    https://www.invincealabs.com/blog/2016/10/killing-mirai/

    In recent weeks the world has witnessed the concept of an IoT botnet turn from theory to reality, with devastating consequences. While the ISPs, DDoS mitigation services, and others scramble to figure out how to augment traditional defenses to handle this new threat, we decided to investigate a less conventional approach. Attackers often rely on exploiting vulnerabilities in software we own to install their tools on our systems. When these tools reside on an IoT device things become even more complicated, because the attacker may now have more access to device than we do. So why not use their own strategy against them?

    This is the first in a series of posts that will uncover vulnerabilities in the Mirai botnet, and show how exploiting these vulnerabilities can be used to stop attacks. Note, we are not advocating counterattack, but merely showing the possibility of using an active defense strategy to combat a new form of an old threat.

    It’s all about Location, Location, Location
    Perhaps the most significant finding is a stack buffer overflow vulnerability in the HTTP flood attack code. When exploited it will cause a segmentation fault (i.e. SIGSEV) to occur, crash the process, and therefore terminate the attack from that bot.

    PoC
    To verify that the vulnerability is indeed exploitable we setup 3 virtual machines to run the Mirai command and control server, a debug instance of the Mirai bot, and a victim. All virtual machines are 32-bit instances of Ubuntu 16.04.

    Conclusion
    This simple “exploit” is an example of active defense against an IoT botnet that could be used by any DDoS mitigation service to defend against a Mirai-based HTTP flood attack in real-time. While it can’t be used to remove the bot from the IoT device, it can be used to halt the attack originating from that particular device. Unfortunately, it’s specific to the HTTP flood attack, so it would not help mitigate the recent DNS-based DDoS attack that rendered many websites inaccessible. In subsequent posts we’ll exam vulnerabilities in other attack code that may be useful in developing mitigations for other types of attacks.

    Reply
  12. Tomi Engdahl says:

    Security Becomes A Multi-System Issue
    http://semiengineering.com/security-becomes-a-multi-system-issue/

    Design teams will have to bake strategies in from the start, no matter how insignificant the device.

    The fallout from the Mirai malware attack last week was surprising, given that it was published on the Internet several months ago as open-source. Despite numerous warnings, it still managed to cause denial of service attacks at Amazon, Netflix, and a slew of other companies that are supposed to be able to fend off these kinds of attacks.

    The good news is that it more people talking about the issue. But the real challenge isn’t stopping one attack. It’s packing enough security features into designs to prevent security breaches of every sort, including those that can come from other electronics that weren’t even considered as part of the design process.

    Just as devices get more sophisticated, so do hackers. Being able to stop attacks with a thumbprint or a password isn’t realistic anymore. It now requires a rethinking of the fundamental architecture for any connected device, which is basically everything with a power supply these days. The good and bad of a connected world is that everything and everyone is connected. And the best way to deal with that effectively is at the system design level.

    The reality is that security breaches can cause the same kinds of physical harm as a faulty wiring scheme, even with devices that in themselves are benign. Those risks increase significantly when they are connected together into systems of systems that are also connected to safety-critical systems. It’s time to look at this at a multi-system, multi-disciplinary level and to tackle it with the same kind of innovation that made complex semiconductor design a reality. Otherwise, we literally could be playing with fire.

    Reply
  13. Tomi Engdahl says:

    What’s the Fix for IoT DDoS Attacks?
    http://www.securityweek.com/whats-fix-iot-ddos-attacks

    DynDNS (or just Dyn now) got blasted with #DDoS twice last Friday. Since Dyn is the major DNS provider for Twitter, Github, and Spotify, the knock-on effects have had a global reach.

    But seriously, Dyn is a big provider, and their being offline has real impact. PagerDuty is one of the affected sites, and many people rely on alerts from their service. No one knows many details about the Dyn attacks yet.

    No one has claimed responsibility, and Dyn has been somewhat quiet about the attack vectors, but has said that possibly 100,000 hijacked connected devices could have been used in the attack.

    The attacks could be fallout from the Mirai IoT Botnet assault against Brian Krebs earlier this month. As Krebs himself notes, the attacks started within hours of a DynDNS researcher, Doug Madory, presenting a talk (video link here) at NANOG about DDoS attacks. Also, according to Krebs, the 620GB Mirai attack against krebsonsecurity.com came just hours after he and Madory released an article looking into some of the shady dealings in the DDoS-for-hire industry.

    Of course everyone is wondering if the IoT botnet, Mirai, is playing a part in the Dyn attack. Even if it is, the attacker could be anyone, as the Mirai source code and helpful readme post were released to the world a week ago, and are still available on Github (if you can get there right now).

    Nastier HTTP GET Floods

    HTTP GET floods were already pernicious. For years, attackers have been able to disable web sites by sending a flood of HTTP requests for large objects or slow database queries. Typically, these requests flow right through a standard firewall because hey, they look just like normal HTTP requests to most devices with hardware packet processing. The Mirai attack code takes it a step further by fingerprinting cloud-based DDoS scrubbers and then working around some of their HTTP DDoS mitigation techniques (such as redirection).

    DNS Water Torture

    The Mirai bot includes a “water torture” attack against a target DNS server. This technique is different from the regular DNS reflection and amplification attacks as it requires significantly less queries to be sent by the bot, letting the ISP’s recursive DNS server perform the attack on the target’s authoritative DNS server. In this attack, the bot sends a well-formed DNS query containing the target domain name to resolve, while appending a randomly generated prefix to the name. The attack is effective when the target DNS server becomes overloaded and fails to respond. The ISP’s DNS servers then automatically retransmit the query to try another authoritative DNS server of the target organization, thus attacking those servers on behalf of the bot.

    Tunneled Attacks

    GRE (Generic Routing Encapsulation) is a tunneling protocol that can encapsulate a wide variety of network-layer protocols inside virtual point-to-point links over an IP network. Ironically, GRE tunnels are often used by DDoS scrubbing providers as part of the mitigation architecture to return clean traffic directly to the protected target.

    The Mirai botnet code includes GRE attacks with and without Ethernet encapsulation.

    Updated Layer 4 Attacks

    According to Mirai’s creator, the so-called “TCP STOMP” attack is a variation of the simple ACK flood intended to bypass mitigation devices.

    So, Doc, is there a fix?

    At a SecureLink conference last week in Brussels, Mikko Hypponen, Chief Risk Officer of F-Secure, was asked how the IoT botnet should be stopped. His answer was, while he himself is not a huge fan of more regulation, regulation will likely be the fix for IoT security. He pointed out that consumer devices are already regulated for safety and efficiency. No one wants their refrigerator exploding on them (or their smartphone, ahem). If only Internet security could be regulated like other manufacturing processes, we could solve this problem.

    Best Practices for DNS?

    One of the reasons DDoS attacks keep evolving is that defenders keep evolving as well. You can bet that by next week, companies will be doing a better job with DNS redundancy.

    NANOG 68 BackConnects Suspicious BGP Hijacks
    https://www.youtube.com/watch?v=LFJzu0AFDpU

    Reply
  14. Tomi Engdahl says:

    DDoS-Capable IRCTelnet IoT Botnet Emerges
    http://www.securityweek.com/ddos-capable-irctelnet-iot-botnet-emerges

    A new malware family targeting Internet of Things (IoT) devices to ensnare them into distributed denial of service (DDoS) botnets has emerged.

    Dubbed Linux/IRCTelnet (New Aidra), the new botnet is built on the core code of Aidra, a previously known IoT malware family designed to launch DDoS attacks. What’s more, the threat shows some similarities with Tsunami/Kaiten (uses the same IRC protocol), with BASHLITE (IRCTelnet uses the same telnet scanner and infection’s injection code as this malware), and with Mirai (uses its leaked credential list).

    Targeting routers and modems, the newly spotted malware features encoded command and control (C&C) information, as well as hardcoded Italian language messages in the communication interface, a security researcher going by the name of unixfreaxjp explains. The new botnet can launch DDoS attacks using UDP floods and TCP floods, along with other techniques, and uses both IPv4 and IPv6 protocols.

    The security researcher notes that the new piece of malware was observed infecting almost 3,500 hosts within only 5 days after it has been first detected. The malware uses telnet scans and brute force attacks for infection and the first infection campaign was observed on October 25.

    Reply
  15. Tomi Engdahl says:

    jgamblin/Mirai-Source-Code
    https://github.com/jgamblin/Mirai-Source-Code

    Leaked Linux.Mirai Source Code for Research/IoT Development Purposes
    Uploaded for research purposes and so we can develop IoT and such.

    Reply
  16. Tomi Engdahl says:

    “Shadows Kill” — Mirai DDoS botnet testing large scale attacks, sending threatening messages about UK and attacking researchers
    https://medium.com/@networksecurity/shadows-kill-mirai-ddos-botnet-testing-large-scale-attacks-sending-threatening-messages-about-6a61553d1c7#.qopytu6hz

    Mirai, a Denial of Service toolkit, is made up of lots of actors across botnets. The source code is open source, meaning anybody can download it and join the club.

    After the historic DDoS attack which downed Dyn, in turn impacting DNS services to a very large number of websites, MalwareTech.com setup monitoring of Mirai botnets — introducing honeypots to monitor attack traffic.

    Many of the botnets are simply attacking Minecraft servers and doing technically terrible attacks on websites, e.g. a Farming Simulator game mod site.

    We have seen a botnet called #14 attack significantly bigger targets. With monitoring it is clear they are extremely successful at attacking things. So far, these tests appear to be a test nature.

    Transit providers confirm over 500gbit/sec of traffic is output during attacks. Attacks last a short period. It is the largest of the Mirai botnets and the domain controlling it pre-dates the attacks on Dyn.

    Liberia

    Over the past week we’ve seen continued short duration attacks on infrastructure in the nation of Liberia. Liberia has one internet cable, installed in 2011, which provides a single point of failure for internet access.

    Shadows Kill botnet

    Last night, while tweeting about the attacks, the botnet started sending messages

    As of 1PM today UK time, the botnet continues to intermittently attack Liberia telecom providers who co-own the submarine cable.

    Reply
  17. Tomi Engdahl says:

    DDoS attack from Mirai malware ‘killing business’ in Liberia
    The DDoS attacks come from the same malware responsible for last month’s disruptions in the US
    http://www.pcworld.com/article/3138631/security/ddos-attack-from-mirai-malware-killing-business-in-liberia.html

    The malware behind last month’s massive internet disruption in the U.S. is targeting Liberia with financially devastating results.

    This week, a botnet powered by the Mirai malware has been launching distributed denial-of-service (DDoS) attacks on IP addresses in the African country, according to security researchers.

    These attacks are the same kind that briefly disrupted internet access across the U.S. almost two weeks ago. They work by flooding internet connections with too much traffic, effectively forcing the services offline.

    On Thursday, an employee with one Liberian mobile service provider said the attacks were taking a toll.

    “The DDoS is killing our business,” he said over the phone. “We have a challenge with the DDoS. We are hoping someone can stop it.”

    Reply
  18. Tomi Engdahl says:

    ‘Bustling’ web attack market closed down
    http://www.bbc.com/news/technology-37859674

    A “bustling” marketplace that offered tools and services to mount massive web attacks has been shut by its owners.

    The marketplace, on the Hack Forums website, was notorious for making it easy it launch attacks that knocked servers offline.

    The section was “permanently shut down” because several attacks known to be co-ordinated via the forum caused web-wide disruption.

    One regular victim of attacks arranged via Hack Forums welcomed the closure.

    “Unfortunately once again the few ruin it for the many,” wrote Jesse LaBrocca, founder of Hack Forums, in a message explaining why the section was being closed.

    Mr LaBrocca hinted that the whole site could be shuttered if the web attack section was not closed, adding a reference to “recent events” that had prompted the decision.

    An attack tool called Mirai is known to have launched the tidal waves of data that made sites hard to reach.

    Source code for this tool was shared on Hack Forums shortly before the attacks took place.

    Mirai helped malicious hackers launch what are known as distributed denial of service (DDoS) attacks by hijacking insecure webcams and digital video recorders and using them to send endless data requests to targets.

    As well as the big attacks, the Hack Forums marketplace also gave people access to so-called “booter” and “stresser” services.

    Reply
  19. Tomi Engdahl says:

    Was IoT DDoS attack just a dry run for election day hijinks?
    Internet of things influencing important things
    http://www.theregister.co.uk/2016/11/08/was_iot_ddos_attack_just_a_dry_run_for_election_day/

    Comment The distributed denial of service attack that took down DNS provider Dyn, and with it access to a chunk of the internet, was one of the largest such assaults seen.

    The attack exploited Internet of Things devices – notably webcams built by XiongMai Technologies. The gadgets had default login passwords that allowed them to be infected with the Mirai botnet malware, which commandeered the gizmos to overwhelm Dyn’s servers.

    The attack was claimed by New World Hackers, previously believed to have brought down sites run by the BBC, Donald Trump and NASA as well as Islamic State controlled websites and Twitter accounts. But the US Department of Homeland Security said it was not clear who was responsible but that investigations were continuing.

    But even though this is one of the largest attacks seen to date, it has also raised fears that there is worse to come. The Mirai malware source code is now freely available for anyone to use to create massive botnets of vulnerable devices.

    Most non-PC devices such routers, modems, cellular modems, digital video recorders and IoT sensors are almost perfect weapons for attackers – they don’t typically run antivirus software; they don’t get updated regularly or can’t be updated; and they are often left switched on 24-hours a day.

    Even if IoT devices are deployed with security in mind, checking the hundreds or even thousands of individual devices used in a factory or office environment control system is a daunting task.

    DDoS specialist Corero claims it has found a new DDoS vector which has an amplification factor of up to 55x. The company has only seen short duration attacks against a handful of its customers exploiting LDAP – the Lightweight Directory Access Protocol. One recent attack reach 70Gbps in volume, we’re told.

    Easily infected IoT devices could be used to unleashed an LDAP-amplified attack on servers.

    Dave Larson, chief technology officer at Corero Network Security, said: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison…With attackers combining legacy techniques with new DDoS vectors and botnet capabilities, terabit-scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.”

    Given the fevered and febrile atmosphere of the US presidential election, no one will be surprised if the next major assault is politically motivated.

    Reply
  20. Tomi Engdahl says:

    Mirai Used STOMP Floods in Recent DDoS Attacks
    http://www.securityweek.com/mirai-used-stomp-floods-recent-ddos-attacks

    The Mirai Internet of Things (IoT) botnet has been using STOMP (Simple Text Oriented Messaging Protocol) floods to hit targets, a protocol that isn’t normally associated with distributed denial of service (DDoS) attacks.

    Mirai has been responsible for taking major websites offline for many users by targeting the Dyn DNS service, in addition to hosting firm OVH in attacks that surpassed 1Tbps (terabit per second). Mirai was also in an attack against Brian Krebs’ blog in a 665Gbps+ (gigabit per second) assault. The botnet uses various attack vectors to power these massive attacks, including STOMP floods.

    Mirai’s source code was released online in early October, and researchers soon observed an uptick in its use for DDoS attacks. With over half a million IoT devices worldwide susceptible to Mirai infection because of their weak security credentials, it does not come as a surprise that the botnet has already expanded in over 164 countries around the world.

    One of the contributors to Mirai’s success in the DDoS landscape is the use of floods of junk STOMP packets, which allow it to ultimately bring down targeted websites.

    Imperva security researchers decided to take a deeper dive into the use of STOMP.

    Designed as a simple application layer, text-based protocol, STOMP is an alternative to other open messaging protocols, including AMQP (Advanced Message Queuing Protocol). It allows applications to communicate with programs designed in different programming languages and works over TCP, the same as HTTP.

    How Mirai Uses STOMP Protocol to Launch DDoS Attacks
    https://www.incapsula.com/blog/mirai-stomp-protocol-ddos.html

    The process can be broken down into the following stages:

    1. A botnet device uses STOMP to open an authenticated TCP handshake with a targeted application.
    2. Once authenticated, junk data disguised as a STOMP TCP request is sent to the target.
    3. The flood of fake STOMP requests leads to network saturation.
    4. If the target is programmed to parse STOMP requests, the attack may also exhaust server resources. Even if the system drops the junk packets, resources are still used to determine if the message is corrupted.

    Interestingly, the recent attacks shared some similarities with the TCP POST flood we warned about several months ago. Both are attempts at targeting an architectural soft spot in hybrid mitigation deployments.

    Each STOMP attack request is set to a default 768 bytes in Mirai’s source code. With a botnet containing more than 100K bots, it’s not difficult to achieve a high rate of attack in which an enterprise grade network having a 5–10Gbps burst uplink easily gets saturated.

    Mitigating STOMP DDoS Attacks

    Successfully mitigating a TCP STOMP attack is a matter of using a solution that is able to:

    Identify malicious requests
    Filter them out before they’re able to travel through your network

    Identifying requests is typically a simple task. Most applications don’t expect to receive STOMP requests, meaning their mitigation providers can drop all junk traffic indiscriminately. Even when this isn’t the case, the predefined size of STOMP payloads makes them easy to spot and to weed out.

    However, the real question that needs to be considered is, “Where exactly are such requests dropped?”

    A hardware solution that terminates TCP on-prem allows malicious STOMP requests to travel through the network pipe. This may cause your network to struggle and even become unavailable—exactly what perpetrators are hoping for.

    A cloud-based service, on the other hand, terminates TCP connections on edge. This means any such attack is blocked outside of your network and doesn’t saturate your uplink.

    Currently, STOMP assaults are rare. But as the use of Mirai malware becomes increasingly more common, it’s likely we’ll see more of them in the near future.Their existence highlights the importance of off-prem filtering.

    Reply
  21. Tomi Engdahl says:

    Surveillance camera compromised in 98 seconds
    All your cameras are belong to Mirai
    http://www.theregister.co.uk/2016/11/18/surveillance_camera_compromised_in_98_seconds/

    Robert Graham, CEO of Errata Security, on Friday documented his experience setting up a $55 JideTech security camera behind a Raspberry Pi router configured to isolate the camera from his home network.

    According to Graham’s series of Twitter posts, his camera was taken over by the Mirai botnet in just 98 seconds.

    Mirai conducts a brute force password attack via telnet using 61 default credentials to gain access to the DVR software in video cameras and to other devices such as routers and CCTV cameras.

    After the first stage of Mirai loads, “it then connects out to download the full virus,” Graham said in a Twitter post. “Once it downloads that, it runs it and starts spewing out SYN packets at a high rate of speed, looking for new victims.”

    Reply
  22. Tomi Engdahl says:

    You Can Now Rent A Mirai Botnet Of 400,000 Bots
    https://it.slashdot.org/story/16/11/27/2230215/you-can-now-rent-a-mirai-botnet-of-400000-bots

    Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest. The hackers have quite a reputation on the hacking underground and have previously been linked to the GovRAT malware, which was used to steal data from several US companies. Renting around 50,000 bots costs between $3,000-$4,000 for 2 weeks, meaning renting the whole thing costs between $20,000-$30,000.

    You Can Now Rent a Mirai Botnet of 400,000 Bots
    http://www.bleepingcomputer.com/news/security/you-can-now-rent-a-mirai-botnet-of-400-000-bots/

    Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest.

    For our readers unfamiliar with Mirai, this is a malware family that targets embedded systems and Internet of Things (IoT) devices and has been used in the past two months to launch the largest DDoS attacks known to date.

    Previous high-profile victims included French Internet service provider OVH (1.1 Tbps), managed DNS service provider Dyn (size unknown), and the personal blog of investigative journalist Brian Krebs (620 Gbps), who at the time, had just recently uncovered an Israeli DDoS-for-Hire service called vDos.

    Botnet developed by reputable hackers

    The two hackers behind this botnet are BestBuy and Popopret, the same two guys behind the GovRAT malware that was used to breach and steal data from countless of US companies. More details about their previous endeavors are available in an InfoArmor report relesed this autumn.

    The two are also part of a core group of hackers that were active on the infamous Hell hacking forum, considered at one point the main meeting place for many elite hackers, so it’s safe to say these are not your regular script kiddies.

    Bleeping Computer reached out to both hackers via Jabber. Both Popopret and BestBuy had the time for a conversation but declined to answer some of our questions, not to expose sensitive information about their operation and their identities.

    Botnet isn’t cheap

    According to the botnet’s ad and what Popopret told us, customers can rent their desired quantity of Mirai bots, but for a minimum period of two weeks.

    “Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.

    Popopret provided an example: “price for 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time is approx 3-4k per 2 weeks.” As you can see, this is no cheap service.

    Once the botnet owners reach an agreement with the buyer, the customer gets the Onion URL of the botnet’s backend, where he can connect via Telnet and launch his attacks.

    Hackers refuse live test, attribution gets tricky

    In private conversations with both Popopret and BestBuy, the hackers respectfully declined to provide evidence of their botnet’s capabilities.

    Reply
  23. Tomi Engdahl says:

    This Web-based Tool Checks if Your Network Is Exposed to Mirai
    http://www.securityweek.com/web-based-tool-checks-if-your-network-exposed-mirai

    Users can now check whether their network is exposed to Mirai, one of the most prolific botnets to have targeted Internet of Things (IoT) devices this year.

    The botnet was initially detailed in early September, but it became more popular in early October, when its author released the source code online. The malware, designed to harness the power of insecure IoT devices to launch distributed denial of service (DDoS) attacks, had been previously used in massive incidents targeting Brian Krebs’ blog and hosting provider OVH.

    Because Mirai’s success is fueled by the existence of IoT devices that aren’t properly secured, it could be easily countered by simply changing the default credentials on vulnerable devices and by closing the Telnet port the botnet uses for infection. That, however, is an operation that users and network admins need to perform, but they might not always be aware of such an issue impacting them.

    To help users determine whether their network is exposed to Mirai or not, IoT Defense Inc., a startup company based in the Washington DC Metro area, launched a web scanner that does exactly that: it searches for opened TCP ports and informs users whether they are safe or not.

    The IoT Defense scanner was written using a combination of Python, Node JS and Jade frameworks and scans for nearly a dozen ports that botnets can exploit. Accessing and using the scanner is free and little instructions are needed, as it does all with a simple click of a button.

    The tool was designed to scan for ports such as File Transfer Protocol (FTP), Secure Shell (SSH), Telnet (both 23 and the alternative 2323), HTTP, HTTPS, Microsoft-SQL-Server, EtherNet/IP, Telnet (alternative), Microsoft Remote Desktop Protocol (RDP), Web Proxy, and Apache Tomcat SSL (HTTPS).

    While not all of these ports are targeted by Mirai, a couple are, with the 2323 Telnet port being specifically attacked.

    Internet of Things Botnet Scanner
    Do you have open ports that botnets can exploit? Press the button below for a quick check.
    https://scanme.iotdef.com/

    Reply
  24. Tomi Engdahl says:

    German ISP Confirms Malware Attacks Caused Disruptions
    http://www.securityweek.com/german-isp-confirms-malware-attacks-caused-disruptions

    German telecommunications giant Deutsche Telekom has confirmed that more than 900,000 of its 20 million fixed-line network customers experienced Internet disruptions due to malware attacks on their routers.

    In a press statement released on Monday, Deutsche Telekom said malicious actors had been trying to infect routers with malware, but the attempts failed, which led to 4-5 percent of devices crashing and preventing owners from going online.

    Since the malware only resides in the router’s memory, customers have been advised to reboot their devices in order to clean the infection. Deutsche Telekom has also released a firmware update that should prevent infections on its Speedport routers.

    Germany’s Federal Office for Information Security (BSI) reported that some government networks protected by the organization were also targeted in attacks. These attacks were mitigated by the existing protection mechanisms, the BSI said.

    Attacks have been observed in several countries. Researchers determined that a piece of malware based on Mirai, whose source code was leaked recently, has been using port 7547 to hijack routers and modems.

    Reply
  25. Tomi Engdahl says:

    Sh… IoT just got real: Mirai botnet attacks targeting multiple ISPs
    Now ZyXEL and D-Link routers from Post Office and TalkTalk under siege
    http://www.theregister.co.uk/2016/12/02/broadband_mirai_takedown_analysis/

    The Mirai botnet has struck again, with hundreds of thousands of TalkTalk and Post Office broadband customers affected. The two ISPs join a growing casualty list from a wave of assaults that have also affected customers at Deutsche Telekom, KCOM and Irish telco Eir over the last two weeks or so.

    Problems at the Post Office and TalkTalk both began on Sunday and collectively affected hundreds of thousands of surfers. Similar attacks against thousands of KCOM broadband users around Hull that started about the same time targeted users of telco-supplied routers. Thousands of punters at the smaller ISP were left without a reliable internet connection as a result of the assault, which targeted routers from Taiwanese manufacturer ZyXEL.

    It’s unclear who is responsible for the growing string of attacks on ISP customers across Europe or their motives. The mechanism of the attack is, however, all too clear. Hackers are using the infamous Mirai malware or one of its derivatives to wreak havoc. The IoT malware scans for telnet before attempting to hack into vulnerable devices, using a brute-force attack featuring 61 different user/password combinations, the various default settings of kit from various manufacturers. Up to 5m devices are up for grabs thanks to wide open management ports, according to some estimates.

    Jean-Philippe Taggart, senior security researcher at Malwarebytes, said: “The leaked Mirai code, poorly secured remote administration on IoT devices, coupled with the recent availability of a Metasploit module to automate such attacks make for an ideal botnet recruitment campaign.

    “So far, it seems the infection does not survive a reboot, but the malicious actors tend to disable access to the remote administration as part of the infection. This prevents the ISP from applying an update that would solve these issues. The botnet gains a longer life as users seldom reboot their routers unless they’re experiencing a problem.”

    Other experts imply further attacks along the same lines are inevitable because the state of router security is poor and unlikely to improve any time soon.

    “The current state of IoT security is in bad shape, and will get a whole lot worse before it gets any better. The Mirai botnet, which is powered by 100,000 IoT devices that are insecure by default, is just the most obvious and topical example.”

    Reply
  26. Tomi Engdahl says:

    TR-069 NewNTPServer Exploits: What we know so far
    https://isc.sans.edu/forums/diary/TR069+NewNTPServer+Exploits+What+we+know+so+far/21763/

    What is “TR-069″

    TR-069 (or its earlier version TR-064) is a standard published by the Broadband Forum. The Broadband Forum is an industry organization defining standards used to manage broadband networks. It focuses heavily on DSL type modems and more recently included fiber optic connections. “TR” stands for “Technical Report”. TR-069 is considered the Broadband Forum’s “Flagship Standard”. [1] Many ISPs and device manufacturers are members of the broadband forum.

    TR-069 allows ISPs to manage modems remotely. Port 7547 has been assigned to this protocol. Some devices appear to use port 5555 instead. I haven’t found a standard defining port 5555 for this use, but it may be an older version. The standard suggests the use of TLS 1.2 but doesn’t require it, and TLS would not have made a difference in this case. Authentication can happen via certificates, or

    TR-069 messages are encoded using SOAP. These SOAP requests include a message that is then parsed by the modem (CPE, “Consumer Premise Equipment). The standard defines a large range of required and optional features.

    The Vulnerability & Exploit

    On November 7th, 2016, “kenzo2017″ posted a blog post showing how the TR-064 “NewNTPServer” feature can be used to execute arbitrary commands. The blog post mentioned only the D1000 modem used by Irish ISP Eir as vulnerable [2].

    Deutsche Telekom Outage

    On Sunday, November 27th, 2016, a large number of Deutsche Telekom customers reported connectivity problems. These issues were later traced to attacks against a particular type of modem. Deutsche Telekom uses the brand name “Speedport” for its modems, but the modems themselves are manufactured by different companies. Deutsche Telekom lists the Speedport W 921 V, 723V Typ B, and 921 Fiber as affected. All of these modems are made by Taiwanese company Acadyan, which does not appear to be connected to Zyxel, the maker of the vulnerable Eir modem.

    Deutsche Telekom rolled out a firmware update to fix the vulnerability exploited by the attack. There has been no official statement from Deutsche Telekom confirming that the TR-069 attack was used to crash the modem. However, Deutsche Telekom did state that an “coding error” in the exploit caused the modems to crash instead of run the exploit code.

    Increase in Scans for Port 7547

    Around the time the outage in Germany, we did notice a substantial increase in the number of attacks against port 7547. Later, a similar increase was noted on %%port:5555%.

    Countermeasures

    As a consumer, if you suspect that your modem is vulnerable or worse, exploited: Reboot your modem and check on firmware updates. For some ISPs, like Deutsche Telekom, firmware updates are avaialbe. But you will typically receive the firmware from your ISP, not the modem’s manufacturer. ISPs customize firmware, like for example by enabling TR-069, and a “default” manufacturer provided firmware may not work for you.

    ISPs should (and typically will) restrict access to port 7547 and port 5555 if it is used for remote configuration. Modem should only accept connections from specific configuration servers. TR-069 implementations had vulnerabilities in the past, and it is very likely that additional issues will be found in the future. Restricting access to the port is necessary to protect the modem from exploits against unpatched vulnerabilities.

    How Many Modems Are Vulnerable?

    The number of devices listening on port 7547 is as larger as 40 Million according to counts performed with Shodan. But not all these modems may run vulnerable implementations, and some may only accept commends from specific servers. It is difficult to say which modems are vulnerable and which once are safe. My personal “best guess” is that this vulnerability may have added 1-2 Million new bots to the Mirai botnet. We do have about 600,000 source IPs scanning for this vulnerability in our database. But many of them may have been infected by Mirai via weak passwords. For a small number of sources that responded on Port 443, we connected and retrieved TLS certificates. The overwhelming portion of certificates where issues by Zyxel, indicating that it is infected Zyxel devices that are participating in the scanning.

    What’s Next?

    At this point, the newly infected systems are just used to scan for more victims. But it is probably just a matter of time until they are used for DDoS attacks.

    Reply
  27. Tomi Engdahl says:

    100,000 UK Routers Likely Affected by Mirai Variant
    http://www.securityweek.com/100000-uk-routers-likely-affected-mirai-variant

    Approximately 100,000 UK TalkTalk and Post Office ISP users were affected by the recent Mirai attack that severely affected nearly a million Deutsche Telekom customers in Germany in late November. It was assumed that the UK victims were the outer ripples of the primary attack; and this was confirmed by a subsequent report that quoted the Mirai developer as apologizing for the effect on the Post Office. The UK disruption was apparently an accident and not done intentionally.

    This version of events is now questioned by the findings of Pen Test Partners. Senior consultant Andrew Tierney reported Friday that the effect on TalkTalk routers was different to the effect on Deutsche Telekom routers. “We can’t see what is causing the claimed ISP outages for TalkTalk and the Post Office reported in the press. It shouldn’t stop the router routing, and as of yet, the bots haven’t taken part in any attacks.”

    Pen Test Partners concluded, “Whilst the spread and purpose of the bot net is similar to Mirai, there are enough differences with this variant that it should really get a new name.”

    TR-064 worm. It’s not Mirai and the outages are interesting
    https://www.pentestpartners.com/blog/tr-064-worm-its-not-mirai-and-the-outages-are-interesting/

    We’ve been looking at the code behind the worm that’s exploiting TalkTalk, PostOffice and many other Zyxel routers using the Allegro RomPager HTTP server.

    What’s odd is that we can’t currently see why it’s causing outages, other than perhaps collapsing under the congestion of scanning for more vulnerable routers.

    The vulnerability is fairly simple, and relies on a series of mistakes.

    Port 7547 is open on these routers to listen for a “knock” to tell them to connect back to a provisioning server. It’s meant to be exposed to the WAN side of the router. This is part of TR-069, which has been discussed a lot in the past.

    Curiously, it also appears that TR-064 is also available on port 7547. TR-064 is called “LAN-Side DSL CPE Configuration”, and unsurprisingly, is only meant to be exposed on the LAN side of the router.

    The TR-064 specification requires authentication, but this seems to be missing.

    Reply
  28. Tomi Engdahl says:

    Backdoor Found in Dahua Video Recorders, Cameras
    http://www.securityweek.com/backdoor-found-dahua-video-recorders-cameras

    Video surveillance company Dahua Technology has started releasing firmware updates to address a serious vulnerability in some of its video recorders and IP cameras.

    The flaw was discovered by a researcher with the online moniker “bashis.” The expert, who has classified the issue as a backdoor, noticed that he could remotely download a device’s complete user database, including usernames and password hashes.

    Bashis did not notify Dahua before making his findings public, but he did remove the proof-of-concept (PoC) code he had released at the vendor’s request. The PoC will be made public again on April 5.

    It’s important that users update the firmware on their devices as Dahua products are often targeted by Internet of Things (IoT) botnets. Researchers reported last year that many of the devices hijacked by the BASHLITE and Mirai botnets had been surveillance products from Dahua.

    Reply
  29. Tomi Engdahl says:

    Oops! 185,000-plus Wi-Fi cameras on the web with insecure admin panels
    Just unplug them now before someone writes a botnet, okay?
    https://www.theregister.co.uk/2017/03/09/185000_wifi_cameras_naked_on_net/

    Get ready for the next camera-botnet: a Chinese generic wireless webcam sold under more than 1,200 brands from 354 vendors has a buggy and exploitable embedded web server.

    According to this advisory by Pierre Kim at Full Disclosure, the problems are in the camera’s GoAhead administrator’s interface and in a weak cloud connection protocol.

    Kim posts a Shodan link that lists around 185,000 vulnerable Wi-Fi-connected cameras exposed to the internet, ready and waiting to be hijacked. The cameras’ CGI script for configuring FTP has a remote code execution hole known since 2015, Kim writes, and this can be used to run commands as root or start a password-less Telnet server.

    There’s an unauthenticated real-time streaming protocol (RTSP) server, so if you can see the camera’s TCP port 10554, you can watch what it streams.

    The camera’s cloud capability is on by default, with pre-configured connections to AWS, Alibaba and Baidu. All an attacker needs is a suitable smartphone application (Kim tried P2PWificam and Netcam360), and the serial number of the target.

    Reply
  30. Tomi Engdahl says:

    DDoS Malware Targets AVTech CGI Vulnerability
    http://www.securityweek.com/ddos-malware-targets-avtech-cgi-vulnerability

    A newly discovered Linux malware family is targeting products from surveillance technology company AVTech via a CGI vulnerability that was disclosed in October 2016, Trend Micro researchers warn.

    Detected as ELF_IMEIJ.A, the malware is the latest in a long list of Trojans targeting Linux ARM devices (such as Mirai, Umbreon rootkit, LuaBot, BashLite, and more). Linux has become the platform of choice for many Internet of Things (IoT) devices, and it’s no wonder cybercriminals are focusing on targeting it, as this provides them with a large attack surface.

    The newly discovered malware attempts to infect devices from AVTech by exploiting a reported CGI vulnerability residing in CloudSetup.cgi, which is found in all AVTech devices that support the Avtech cloud.

    The vulnerability was disclosed to AVTech in October 2016, but the vendor has provided no response, despite repeated attempts to contact it

    “The points of entry for this new Linux malware are connected AVTech devices such as IP cameras, CCTV equipment, and network recorders that support the AVTech cloud. Once the malware is installed onto the device, it gathers system information and network activity data. It can also execute shell commands from the malicious actor, initiate Distributed Denial of Service (DDoS) attacks, and terminate itself,” the researchers explain.

    Reply
  31. Tomi Engdahl says:

    Serious Flaws Expose AVTECH Devices to IoT Botnets
    http://www.securityweek.com/serious-flaws-expose-avtech-devices-iot-botnets

    More than a dozen vulnerabilities found in video surveillance products from AVTECH could be exploited by Internet of Things (IoT) botnets to ensnare affected devices, warned Hungary-based security research and development firm Search-Lab.

    Taiwan-based AVTECH offers a wide range of IP cameras, CCTV equipment and network recorders. AVTECH is said to be one of the world’s largest video surveillance product manufacturers. It should be noted that the firm whose products are vulnerable has no connection to US-based AVTECH, which provides environment monitoring solutions.

    Reply
  32. Tomi Engdahl says:

    BASHLITE Botnets Ensnare 1 Million IoT Devices
    http://www.securityweek.com/bashlite-botnets-ensnare-1-million-iot-devices

    Nearly one million devices have been infected with a piece of malware and abused for distributed denial-of-service (DDoS) attacks, according to an analysis conducted by Level 3 Communications and Flashpoint.

    Reply
  33. Tomi Engdahl says:

    Imperva observed a new variant of the Mirai botnet unleashes 54-Hour DDoS attack
    http://securityaffairs.co/wordpress/57523/malware/mirai-botnet-54hh-ddosa.html

    According to security experts at Imperva, a newly discovered variant of the dreaded Mirai botnet was used to power a 54-hour distributed denial of service (DDoS) attack.

    The Mirai malware was spotted by the researcher MalwareMustDie in August 2016, it was specifically designed to target IoT devices.

    The Mirai botnet was used last year in two large attacks against the website of the popular investigator Brian Krebs and the Dyn DNS service. In October, the source of the Mirai bot was leaked online and new variants were spotted in the wild.

    On January 2017, experts spotted a new Windows variant of Mirai allegedly used to spread the Linux Trojan to more IoT devices.

    Reply
  34. Tomi Engdahl says:

    New Mirai Variant Unleashes 54-Hour DDoS Attack
    http://www.securityweek.com/new-mirai-variant-unleashes-54-hour-ddos-attack

    New Variant of Infamous IoT Botnet Launches Attack Against Network of U.S. College

    A newly discovered variant of the Mirai botnet was responsible for powering a 54-hour distributed denial of service (DDoS) attack, Imperva researchers reveal.

    Mirai was one of the most discussed Internet of Things (IoT) botnets during the second half of last year, after it was used in two large attacks against Brian Krebs’ blog and DNS provider Dyn. In October, the Trojan’s source code leaked online and new variants emerged soon after.

    One such version emerged in December when TalkTalk Telecom home routers were being infected via a vulnerability in the network router protocol. Earlier this year, researchers observed a Windows variant of Mirai, though concluded that it was mainly designed to spread the Linux Trojan to more IoT devices.

    On Feb. 28, the new Mirai threat was used to launch a DDoS attack against a US college, and researchers say that the assault continued for 54 hours straight. The average traffic was of over 30,000 requests per second (RPS) and peaked at around 37,000 RPS, the highest of any Mirai botnet (the attack generated a total of over 2.8 billion requests).

    Reply
  35. Tomi Engdahl says:

    Mirai Variant Has Bitcoin Mining Capabilities
    http://www.securityweek.com/mirai-variant-has-bitcoin-mining-capabilities

    A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.

    Initially spotted in September last year, Mirai was designed to find insecure IoT devices and ensnare them into a botnet primarily used for launching DDoS (distributed denial of service) attacks. Variants of the malware started to emerge after the Trojan’s source code was leaked, and a Windows variant designed to spread the Linux version was spotted earlier this year.

    The newest variant moves beyond the initial DDoS capabilities of the botnet, with the addition of a component focused on Bitcoin mining.

    The Bitcoin mining-capable Mirai variant was observed in a short-lived, high-volume campaign at the end of March, targeting Linux machines running BusyBox. The attack focuses on devices such as DVR servers, which usually feature BusyBox with default Telnet credentials that Mirai targets with a dictionary attack brute-force tool.

    In addition to the various types of attacks that Mirai bots can perform, such as TCP, UDP, and HTTP floods, the new variant also turns the compromised devices into Bitcoin miner slaves. Because IoT devices usually lack computing power, they can’t create Bitcoins, at least not on their own.

    “Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” IBM explains.

    Reply
  36. Tomi Engdahl says:

    Another IoT botnet has been found feasting on vulnerable IP cameras
    Children, please welcome Persirai to the class
    https://www.theregister.co.uk/2017/05/10/persirai_iot_botnet/

    Researchers have discovered yet another IoT botnet.

    Persirai targets more than a thousand different internet protocol camera models. Researchers at Trend Micro warn that 120,000 web-connected cameras are vulnerable to the malware.

    Consumers would, in most cases, be unaware that their devices are even exposed to the internet much less at risk of compromise. Hackers are using a known but seldom patched vulnerability to hack the cameras.

    The development of Persirai comes just weeks after the arrival of Hajime – the “vigilante” IoT worm that blocks rival botnets – and months after the infamous Mirai IoT botnet. Mirai was used to attack a key internet domain resolution hub last October, leaving scores of high-profile websites unreachable to millions.

    Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras
    Posted on:May 9, 2017 at 5:03 am
    Posted in:Internet of Things
    Author: Trend Micro
    By Tim Yeh, Dove Chiu and Kenney Lu
    http://blog.trendmicro.com/trendlabs-security-intelligence/persirai-new-internet-things-iot-botnet-targets-ip-cameras/

    Reply
  37. Tomi Engdahl says:

    Andy Greenberg / Wired:
    Hackers are using Mirai-based botnets to DDoS the domain hardcoded into WannaCry in an attempt to reduce effectiveness of the kill-switch, revive the ransomware — Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off …

    Hackers Are Trying to Reignite WannaCry With Nonstop Botnet Attacks
    https://www.wired.com/2017/05/wannacry-ransomware-ddos-attack/

    Over the past year, two digital disasters have rocked the internet. The botnet known as Mirai knocked a swath of major sites off the web last September, including Spotify, Reddit, and The New York Times. And over the past week, the WannaCry ransomware outbreak crippled systems ranging from health care to transportation in 150 countries before an unlikely “kill-switch” in its code shut it down.

    Now a few devious hackers appear to be trying to combine those two internet plagues: They’re using their own copycats of the Mirai botnet to attack WannaCry’s kill-switch. So far, researchers have managed to fight off the attacks. But in the unlikely event that the hackers succeed, the ransomware could once again start spreading unabated.

    Reply
  38. Tomi Engdahl says:

    Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets
    http://www.securityweek.com/thousands-ip-cameras-hijacked-persirai-other-iot-botnets

    Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

    The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

    The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

    Trend Micro has determined that of a total of 4,400 IP cameras it tracks in the United States, just over half have been infected with malware. The percentage of infected cameras spotted by the security firm in Japan is nearly 65 percent.

    New Persirai IoT Botnet Emerges
    http://www.securityweek.com/new-persirai-iot-botnet-emerges

    Reply
  39. Tomi Engdahl says:

    Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets
    http://www.securityweek.com/thousands-ip-cameras-hijacked-persirai-other-iot-botnets

    Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

    The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

    The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

    Multiple vulnerabilities found in Wireless IP Camera (P2P) WIFICAM cameras and vulnerabilities in custom http server
    https://pierrekim.github.io/blog/2017-03-08-camera-goahead-0day.html

    Vulnerabilities Summary

    The Wireless IP Camera (P2) WIFICAM is a camera overall badly designed with a lot of vulnerabilities. This camera is very similar to a lot of other Chinese cameras.

    It seems that a generic camera is being sold by a Chinese company in bulk (OEM) and the buyer companies resell them with custom software development and specific branding. Wireless IP Camera (P2) WIFICAM is one of the branded cameras.

    So, cameras are sold under different names, brands and functions. The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead and added vulnerable code inside.

    GoAhead stated that GoAhead itself is not affected by the vulnerabilities but the OEM vendor who did the custom and specific development around GoAhead is responsible for the cause of vulnerabilities.

    The summary of the vulnerabilities is:

    CVE-2017-8224 – Backdoor account
    CVE-2017-8222 – RSA key and certificates
    CVE-2017-8225 – Pre-Auth Info Leak (credentials) within the custom http server
    Authenticated RCE as root
    Pre-Auth RCE as root
    CVE-2017-8223 – Misc – Streaming without authentication
    CVE-2017-8221 – Misc – “Cloud” (Aka Botnet)

    Shodan lists 185 000 vulnerable cameras.

    Reply
  40. Tomi Engdahl says:

    Russell Brandom / The Verge:
    Researchers: October’s Mirai botnet attack on Dyn DNS service was incidental; original target was PlayStation Network name servers used by Dyn

    Angry gamers may have been behind last year’s web-breaking DDoS attack
    Targets included Brazilian Minecraft servers and the PlayStation Network
    https://www.theverge.com/2017/8/18/16170536/mirai-ddos-playstation-network-dyn-internet-angry-gamers

    Last October, a flood of traffic from the Mirai botnet brought down major portions of the internet, blocking access to Amazon, Netflix, and other services for most of the northeastern US. It was a painful reminder of the fragility of the internet and the danger of insecure Internet of Things devices — but despite the broad scale of the damage, new research presented today at the Usenix conference suggests the attackers may have just been trying to kick people off PlayStation.

    The new report comes from a team of researchers at Google, Cloudflare, Merit Networks, Akamai, and a range of university partners, drawing on data from some of the largest infrastructure networks on the web. Looking at the October attack on DNS provider Dyn, researchers noticed something unusual. All the IP addresses targeted by the attack were nameservers for the PlayStation Network, used by Dyn to connect visitors to the correct IP address. Because of the networked nature of Dyn’s domain registration system, attacking those servers meant attacking the whole system — and when it went down, it brought down access to dozens of other services with it.

    During the same period, the same attackers also went after a handful of gaming services. The researchers also detected attacks on Xbox Live, Nuclear Fallout and Valve Steam servers during the same period, suggesting the group was going after a wide range of gaming systems.

    “This pattern of behavior suggests that the Dyn attack on October 21, 2016 was not solely aimed at Dyn,” the researchers conclude. “The attacker was likely targeting gaming infrastructure that incidentally disrupted service to Dyn’s broader customer base.”

    Reply
  41. Tomi Engdahl says:

    Mirai copycats fired the IoT-cannon at game hosts, researchers find
    After first wave attacks ended, thing-herders took aim at PlayStation, XBOX and Valve
    https://www.theregister.co.uk/2017/08/21/mirai_copycats_fired_the_iotcannon_at_game_hosts_researchers_find/

    The Mirai botnet that took down large chunks of the Internet in 2016 was notable for hosing targets like Krebs on Security and domain host Dyn, but research presented at a security conference last week suggests a bunch of high-profile game networks were also targeted.

    Although Mirai’s best-known targets were taken out by the early infections, other ne’er-do-well types saw its potential and set up their own Mirai deployments, finishing up with more than 100 victims on the list.

    That’s the conclusion suggested in a paper, Understanding the Mirai Botnet, presented at last week’s Usenix Security conference in Canada last week and penned by a group spanning Google, Akamai, Cloudflare, two universities and not-for-profit networking services provider Merit Network

    Reply
  42. Tomi Engdahl says:

    DDoS Threat Increases While Mirai Becomes ‘Pay-for-Play’
    http://www.securityweek.com/ddos-threat-increases-while-mirai-becomes-pay-play

    The DDoS threat is increasing again. Pbot can generate 75 Gbps from just 400 nodes and Mirai has been commoditized. However, despite the growing number of attacks, the overall trend seems to be for more frequent, smaller attacks. These are the primary takeaways from a new Q2 study into internet traffic.

    Akamai Technologies, a Cambridge, Mass.-based content delivery network (CDN) and cloud services provider with more than 233,000 servers in over 130 countries, has published its Q2 State of the Internet report (PDF). The report comprises analyses of attack data seen across this network. It shows that DDoS attacks have increased by a massive 28% over the previous quarter.

    Within this statistic, infrastructure layer (layers 3 and 4) attacks have risen by 27%; reflection-based attacks have risen 21%; and the average number of attacks per target has increased by 28%. Gaming sites are frequent targets, accounting for 81% of all volumetric DDoS attacks monitored by Akamai.

    [state of the internet] / security
    https://www.akamai.com/uk/en/multimedia/documents/state-of-the-internet/q2-2017-state-of-the-internet-security-report.pdf

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*