50 comments

[ 2.9 ms ] story [ 122 ms ] thread
This source is incomplete. See https://github.com/0x27/linux.mirai for a full mirror of the release.
Thanks.

Question for the C folks. The author seems to have reimplemented functions such as strlen, memcpy, and atoi in 'bot/util.h' instead of using the stdlib. Anyone know why?

https://github.com/0x27/linux.mirai/blob/master/mirai/bot/ut...

I believe not all embedded systems have the c stdlib.
Not the reason. Especially when the author includes headers like: #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <arpa/inet.h> #include <linux/ip.h> #include <linux/udp.h> #include <errno.h> #include <fcntl.h>
Remember that this target IoT devices, where diversity is much higher than it would be for desktops or servers. the build scripts shows the targeted architectures:

i586 mips mipsel armv4l armv5l armv6l powerpc sparc m68k sh4

Because you cannot rely on some chintzy IoT device to have dynamically loadable libraries. In all likelihood, they don't. But let's assume they do have loadable stdlib, would would you trust the integrity of your botnet to dozens of poorly designed IoT devices?
Don't most of these IoT devices usually run Linux though?
Sure, but many of them only contains a static busybox binary and no libc.
You can statically link the binary you build, doesnt mean you need to reimplement.
But it is easier to copy/paste those few functions rather than play with static libc and then making sure all the other functions don't get linked into the final binary.
I think the headline there, "Mirai Botnet Client, Echo Loader and CNC source code", is more descriptive and suitable than the current title.

"Mirai" is a rather generic name; for a moment I was wondering if it was related to the https://en.wikipedia.org/wiki/Toyota_Mirai ...but it did make me click to find out.

(comment deleted)
What is the origin of the name?

I assumed (guessed) it was the last name of the "father of the internet" on Japan.

(comment deleted)
I'm just happy to see that kids these days still say "greetz" in their github/BBS posts these days.

Or maybe this is a greybeard hacker?

(comment deleted)
This thing's strategy for finding machines to take over is so simple it's embarrassing. It tries to open an unencrypted Telnet connection to random IP addresses. If it gets a response, it tries the following username/password combinations:

    root     xc3511
    root     vizxv
    root     admin
    admin    admin
    root     888888
    root     xmhdipc
    root     default
    root     juantech
    root     123456
    root     54321
    support  support
    root     (none)
    admin    password
    root     root
    root     12345
    user     user
    admin    (none)
    root     pass
    admin    admin1234
    root     1111
    admin    smcadmin
    admin    1111
    root     666666
    root     password
    root     1234
    root     klv123
    Administrator admin
    service  service
    supervisor supervisor
    guest    guest
    guest    12345
    guest    12345
    admin1   password
    administrator 1234
    666666   666666
    888888   888888
    ubnt     ubnt
    root     klv1234
    root     Zte521
    root     hi3518
    root     jvbzd
    root     anko
    root     zlxx.
    root     7ujMko0vizxv
    root     7ujMko0admin
    root     system
    root     ikwb
    root     dreambox
    root     user
    root     realtek
    root     00000000
    admin    1111111
    admin    1234
    admin    12345
    admin    54321
    admin    123456
    admin    7ujMko0admin
    admin    1234
    admin    pass
    admin    meinsm
    tech     tech
    mother   fucker
That's it.

Deploying millions of devices with fixed passwords that dumb is clear evidence of gross negligence on the part of IoT device manufacturers. If this gets to court, some lawyer is going to enter that list as evidence and read it to a jury.

"That's the kind of combination an idiot would have on his luggage!" - Spaceballs

Oh crap. That has like two of my passwords in there.
I cannot wait for some type of top-down pressure to force IoT developers to take security seriously. The movement has been pushed into overdrive thanks to insane levels of competition where you either crush your R&D into the smallest breakneck period or you live to see your creation being sold for half of what your budget can allow by other firms lifting your efforts while you're still at the workbench.[1]

I've been getting cozy with Shenzhen-based hardware accelerators for the past year as part of a personal side-venture and I have not seen a group so pressured to deliver a product as fast as possible with security being a casual afterthought. To get a decent taste of what it's like, I wholeheartedly recommend WIRED's Future Cities documentary on Shenzhen and the companies that dwell there.[2] Their struggles for ephemeral market-share are endemic of the entire community that's taken over embedded hardware for the past few years.

The saddest aspect of it all is that this market competition isn't benefiting the consumer. IoT devices are coming out of the factories poorly engineered, badly maintained for far too short of a time, and as we've learned from this attack, being used as vectors for network intrusion and distributed censorship. Even arduino founder Massimo Banzi's widely-lauded IoT Manifesto[3] fails to approach any comprehensive statement regarding a dev's responsibility to build in some level of security to their devices.

It just isn't part of the fast-and-loose culture that has been bred by trend-setting companies with unlimited budgets making bad decisions from the very start.[4] In addition, the if-you-can't-beat-'em-join-'em attitude the West has taken towards churning out hardware devices as fast as they can before jumping to the next IoT piece of junk before the ripoffs can hurt them is really disappointing as it prevents any considerable effort from going into a device pre-and-post release.

All in all, the IoT community is not going to change their priorities unless someone very powerful forces them to and it can't happen soon enough.

[1] http://qz.com/771727/chinas-factories-in-shenzhen-can-copy-p...

[2] https://www.youtube.com/watch?v=SGJ5cZnoodY (This is over an hour long but very worth it)

[3] https://create.arduino.cc/iot/manifesto/

[4] https://techcrunch.com/2014/01/06/nest-4-0-firmware-battery-... & again in 2016 http://www.nytimes.com/2016/01/14/fashion/nest-thermostat-gl... I'm not going to even touch the dropcam and IoT smoke detector.

> the IoT community

I hate this phrase. It's not like a bunch of people gathered and said "let's make shitty IoT stuff!". It's not a "community", there aren't groups around advocating against security best practices.

If anything the actual community around IoT stuff takes security more seriously than most HNers.

The problem is the companies and manufacturers that aren't part of the community.

And I take issue with your [4]. That has nothing to do with security. It was a glitch, and it happened, and I personally don't like Nest as a company very much and think they make pretty shitty products, but they take security seriously, and in a discussion about IoT security linking a non-security related software bug serves no purpose. Everything has bugs, that doesn't mean it's absolute shit when something goes wrong.

Your [3] is also incorrect. The Arduino IoT Manifesto's second point is that a dev should make sure their product can be updated, and even if it's abandoned it should be able to be repurposed in something else, or updated by someone else.

What's up with 7ujMko? That one seems really secure.
Hardcoded in some "firmware example" supplied by the vendor, someone REd the firmware and published the password on his blog, and then it was discovered by the author(s) of this malware.
It's a simple pattern on a QWERTY keyboard. 7UJM and MKO are each on a diagonal path.
It doesn't matter how "secure" a password is if it's known. Quite a few vendors ships devices with a common factory password, stated in the manual. And people put those on ther internet.
Dammit, I thought we solved this 10+ years ago when home router manufacturers finally started printing unique passwords on the base of the product.
LOL it's missing "admin/ztonpk, admin/tzlkisonpk, telekom/telekom" which are default passwords for root access on Telekom Serbia's modems (7-8 million devices including IPTV STBs)... It's so stupid I have to use their shitty modem and can't change the pwd because they occasionally flash new firmware to it and reset everything to default, because that's how they configure the xDSL settings.
then the jury will find that offending, because 8 of them have passwords like that ;)
So this was dumped 20 days ago, and now we've got a fairly large outage taking place.

In other words, it could have been anyone?

Misdirection? Maybe that is what we are meant to think.
(comment deleted)
The IoT devices can be accessed over telnet. Out of curiosity: Is there a self destruct command? or a way to make one?

It seems to me that destroying the vulnerable devices would solve the DDoS problem and gives a big kick in the face of the affected manufacturers plus a good press coverage.

This was my exact thought. If we have the source code, it seems as if it wouldn't be too hard to make our own version which seeks and destroys other versions, possibly patching the system, or at least changing the password to be something secure.

Is there a reason this can't be done? (Other than a legal reason, which hackers don't tend to care too much about.)

If you can get access as riot then changing the password should be possible - assuming (and I haven't looked at the source yet) that the hacker doesn't when they first get control (although if the source is original it would have a/some passwords in it as you can't control something if you don't know the password). Modifying the existing code to find and remove the added components (as you know what's been added by the code, where it's been added to) before resetting the password ought to be doable. Changing the password ought to then alert the users that something's wrong ("hey, my internet connected [thing] isn't working?") so hopefully they will then contact the vendor, or bitch about the product on a review site, which will make the vendor sit up and notice if a lot of people do this. If it looks like this hits a company's bottom line it will have more impact. You may have to hit the machines more than once because support will probably start with 'flash the firmware' which will reset the password, so a couple of passes to ensure the users get fed up, and support suggest changing defaults might solve the problem. A more serious/damaging and potentially dangerous (depending what the IoT thing is being used for - ie fire detection, child monitoring) would potentially be - and this is not my field - to deploy null/corrupt/fake firmware to these devices to take them offline until a firmware flash is carried out. That would require different tactics than just modifying the source, and would be more complicated due to the different types of device. I'm not sure how easy it is to remote flash this stuff, whether you need certificates, whether you can flash entirely non-functioning code and how easily. As I say, not my area. Anyone know if it's possible to put this code on a DNS box and when an attack starts go to each source ip, attempt Telnet with default list, then clean/change password/reboot/re-firmware (whichever - any/all) to kill the sources our do these systems use ip masking/obfuscation?
The whole focus on IOT and random individual devices on the network seems misplaced. If all it takes is misconfiguration of random devices that join the network to take it down then you have a larger problem than these devices.

Since there is no way to police this and 'wack a mole' for billions of devices is not a practical strategy this security focus on IOT devices while nice does not address the core problem of vulnerable networks and ddos. It distracts and diverts from it.

True, but there's conversely a whole bunch of problems associated with the scandalous lack of security wrt many IoT devices, that aren't anything to do with DDoS. I wonder how many people are being watched as we speak.
Would it be illegal to innoculate IoT devices by forking Mirai and then changing each vulnerable device's default password to a random choice of high entropy?
Doesn't this brick the device from the user's perspective?
In many cases, sure, but there is usually an easy way to reset such a device back to its factory defaults.
IANAL, but I'm pretty sure the answer to that is "yes". It would set a terrible precedent by authorising vigilantism, and I'm not sure how you would define "vulnerable" under the law.
Is there a page somewhere that maps these passwords to corresponding devices? Essentially a list of what devices are affected by this botnet? I don't think anything I own is affected, and I monitor my network pretty closely, but would like to double check. And make sure not to buy any of them either.
Could someone please illustrate a concrete example of how having the password to my camera (assuming it has an routing through NAT) can be used to generate outbound traffic?

I have five cameras set up with NAT port holes. My passwords are (I believe) secure. But even if they were on the list, how could that be used to generate outbound traffic to DDoS someone? Presumably, only by a further vulnerability in the firmware.

In all the media / HN coverage, even with the release of Mirai source, I have yet to see a concrete example of a brand/model of camera/DVR who's firmware is exploitable. Let alone a list of models that are.

One exception: The D-Link DCS-930L[1] has a known vulnerability.

[1]: https://www.exploit-db.com/exploits/39437/

Edit: Okay, if you can get in on telnet, then nevermind; you're p0wned. But if you're a webcam on port 8080, what is the attack vector?