Sci Fi has become a reality
Time to re-read the Snow Crash.
A GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm "nematode" that could help to patch vulnerable devices used in the massive Mirai distributed denial of service attack. The nematode, a concept detailed by security man Dave Aitel [PDF], would fight back against the …
Why not get the ISPs to run it, and when it finds an infected or insecure device it just disconnects the user and changes the ISP login credentials so that the user isn't able to reestablish a basic DSL or cable connection. That isn't interfering with the user's device at all. User has to call the ISP hell desk to get it fixed, and they can be told what they should disconnect. If they say no, they remain locked out. Put it in the ISP Ts&Cs and it'll be legal enough.
Not sufficient - client will simply move to another ISP, until all users who can't be bothered will move onto these ISPs who can't be bothered either. Which will reduce amount of money available to ISPs who do care. Either this is mandated behaviour (so the ISPs who do not care get punished, e.g. disconnected from upstream) or forget about it.
I don't know. Most places have at least one telephone-based ISP and one cable-based ISP, meaning competition DOES exist since the two firms are usually crossing into each other's turf, making them bitter rivals. For example, in my area Cox and Verizon have to keep honest because both offer the same stuff (TV, phone, and internet).
Why not get the ISPs to ...
Because no ISP is going to commit suicide voluntarily.
I pay what I consider to be a reasonable amount to get internet from a reliable ISP, offers fixed IP address if you want it, and so on. Many I know do not look past the "sticker price" and will even switch ISPs regularly to get their special offers - some of which have to be well below cost !
If an ISP were to police it's users, then it'll be faced with lots of angry customers clogging up the helldesk with "my internet's broke" queries and having to have things explained to them in one syllable words. Most of these users won't know or care about "space science" like telnet and such - they'll just want their FarceBork back, and they certainly won't accept having to turn off that wizzy new gadget they've just bought.
So as Bronek Kozicki says, either all ISPs in a region have to do it - or non of them can afford to do it.
A shame really, because it's the only way this problem will be solved.
"Because no ISP is going to commit suicide voluntarily."
Virgin Media in the UK do it already, or at least claim to, subcontracting a third party to scan for vulnerabilities on customer's networks.
I am in favour of doing that. Anything which helps keep me safe is good for me, them and everyone. I regularly probe my systems from outside to look for issues and if they want to join in with that I am happy to let them.
The downside is that ISPs can abuse and milk their customers by claiming they have found an issue and asking the customer to pay for premium support to get that resolved. Some say Virgin Media are doing exactly that - scamming customers by claiming a vulnerability has been found when there is no evidence of any such vulnerability.
Not sure I care about that at the moment. Currently getting 40K queries per minute on one server and that's getting a bit tiresome.
surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??
BTW: your account on my BBS is still good ;)
"surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??"
You've making an assumption about the kind of server. I drop responses for repeat queries and that works quite well, but dropping connections from seemingly random and continually changing IPs would result in blocking legitimate queries. Also, thanks for keeping my account going. :)
and next off, the Mirai code gets updated with the nematode code, so that it locks the administrator out, so only a factory reset will work - taking us back to the old admin/admin password.
What a jolly clever idea. What could possibly go wrong etc...Won't someone think of the children?
"any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."
According to previous articles (a) vulnerable devices are attacked within minutes of going online and (b) the attacks usually close the telnet door behind them. If that's so most vulnerable devices must already have their users locked out. A nematode that would, say, prompt the user to reboot and change the password would be somewhat more helpful to the user than leaving the device to be infected. However it's obviously going to be a race to get against the existing botnet to get to new or newly rebooted devices first. Maybe it needs to crash and reboot a device that's already infected first.
"How?"
AIUI these are telnet connections. They have a service running on port 23 that offers a login prompt for which the password is a known default. Replace that by a service running on port 23 that offers a message saying "Reboot your webcam and change the password".
Yeah, I don't know what the angst is, other than breaking laws. How many consumers are using telnet with these devices?
For those who are, you'd expect they'd be savvy enough to use another way to get in and reset their telnet environment, although then again, the apps that are supplied probably don't expose that configuration interface.
So, maybe an app update to allow that config to be exposed, assuming they're not using port 80 and no key exchange to do it.
SSH would be more of a conundrum, although I suppose if it's compromised, the same mitigations would apply.
I see no problem with this.
The first bot will have clearly changed the password so the owner probably doesn't have access anyway without resetting the device manually.
The nematode will disable the first bot and change the password which the owner didn't have anyway. I would actually recommend completely disabling the device (shutdown networking as last command) as well until the owner resets it and potentially applies a patch that way at least they are aware they have a problem.
What's the alternative? Detect all vulnerable devices and send it to the IP address owners which would surely be a thankless task.
Either way at some point someone is going to have to do something.
"....while any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."
I'm sorry, but GOOD. Any self respecting network/sysadmin needs to be shot in the head for leaving anything internet-facing on default admin/admin admin/password credentials, though I doubt this is anywhere near the majority included in the botnet. I would imagine 99% are home users with no clue that their device is even a part of the attack, in which case I'm all for a bit of 'white-hat hacking'. At worst, it'll mean the device in question gets some attention that would have otherwise gone un-noticed perhaps forever.