back to article Boffin's anti-worm bot could silence epic Mirai DDoS attack army

A GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm "nematode" that could help to patch vulnerable devices used in the massive Mirai distributed denial of service attack. The nematode, a concept detailed by security man Dave Aitel [PDF], would fight back against the …

Silver badge

Sci Fi has become a reality

Time to re-read the Snow Crash.

7
0
Silver badge

Re: Sci Fi has become a reality

"Snow Crash"? That's 1992. The Internet is older than that and Websites were appearing that year.

Ha, it was in Brunner's "Shockwave Rider" 1975.

"tapeworms", remote hacking, fake identities, Ritalin type drugging of the population.

6
0
Silver badge

go for it

And break every computer crime law along the way

Not sure I care about that at the moment. Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

20
0
Silver badge

Re: go for it

Why not get the ISPs to run it, and when it finds an infected or insecure device it just disconnects the user and changes the ISP login credentials so that the user isn't able to reestablish a basic DSL or cable connection. That isn't interfering with the user's device at all. User has to call the ISP hell desk to get it fixed, and they can be told what they should disconnect. If they say no, they remain locked out. Put it in the ISP Ts&Cs and it'll be legal enough.

24
2
Silver badge

Re: go for it

Not sufficient - client will simply move to another ISP, until all users who can't be bothered will move onto these ISPs who can't be bothered either. Which will reduce amount of money available to ISPs who do care. Either this is mandated behaviour (so the ISPs who do not care get punished, e.g. disconnected from upstream) or forget about it.

8
2

Re: go for it

I do think this is a very good way to resolve it, but ... then you are making the ISP's responsible for your traffic, not sure I like that alternative either.

They deem certain traffic undesirable .... Bye bye connection

5
0
Silver badge

Re: go for it

Why not get the ISPs to ...

Because no ISP is going to commit suicide voluntarily.

I pay what I consider to be a reasonable amount to get internet from a reliable ISP, offers fixed IP address if you want it, and so on. Many I know do not look past the "sticker price" and will even switch ISPs regularly to get their special offers - some of which have to be well below cost !

If an ISP were to police it's users, then it'll be faced with lots of angry customers clogging up the helldesk with "my internet's broke" queries and having to have things explained to them in one syllable words. Most of these users won't know or care about "space science" like telnet and such - they'll just want their FarceBork back, and they certainly won't accept having to turn off that wizzy new gadget they've just bought.

So as Bronek Kozicki says, either all ISPs in a region have to do it - or non of them can afford to do it.

A shame really, because it's the only way this problem will be solved.

0
0
Anonymous Coward

Re: go for it

"Because no ISP is going to commit suicide voluntarily."

Virgin Media in the UK do it already, or at least claim to, subcontracting a third party to scan for vulnerabilities on customer's networks.

I am in favour of doing that. Anything which helps keep me safe is good for me, them and everyone. I regularly probe my systems from outside to look for issues and if they want to join in with that I am happy to let them.

The downside is that ISPs can abuse and milk their customers by claiming they have found an issue and asking the customer to pay for premium support to get that resolved. Some say Virgin Media are doing exactly that - scamming customers by claiming a vulnerability has been found when there is no evidence of any such vulnerability.

5
0
Facepalm

Re: go for it

Not sure I care about that at the moment. Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??

BTW: your account on my BBS is still good ;)

2
0
Silver badge

Re: go for it

"surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??"

You've making an assumption about the kind of server. I drop responses for repeat queries and that works quite well, but dropping connections from seemingly random and continually changing IPs would result in blocking legitimate queries. Also, thanks for keeping my account going. :)

5
0
Silver badge

Re: go for it

"They deem certain traffic undesirable .... Bye bye connection"

Some of them do it already. They call it traffic shaping. I had that happen when my ISP got taken over by another with a somewhat repetitive name. The traffic got shaped out of existence.

4
0
Silver badge

Re: go for it

Not sufficient - client will simply move to another ISP

Not here in the States they won't. The ISP's have pretty much a monopoly based on geography. The only real way to change ISP is to move.. sometimes several hundred miles away.

4
0
Silver badge

Re: go for it

I don't know. Most places have at least one telephone-based ISP and one cable-based ISP, meaning competition DOES exist since the two firms are usually crossing into each other's turf, making them bitter rivals. For example, in my area Cox and Verizon have to keep honest because both offer the same stuff (TV, phone, and internet).

0
0
Silver badge

Bright idea

and next off, the Mirai code gets updated with the nematode code, so that it locks the administrator out, so only a factory reset will work - taking us back to the old admin/admin password.

What a jolly clever idea. What could possibly go wrong etc...Won't someone think of the children?

8
0
Silver badge

Re: Bright idea

"and next off, the Mirai code gets updated with the nematode code, so that it locks the administrator out"

AIUI it already does that, otherwise it would be easy for someone to log in and de-worm the device. It sounds like the nematode is the worm without the nasty payload.

3
0
Silver badge

"any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."

According to previous articles (a) vulnerable devices are attacked within minutes of going online and (b) the attacks usually close the telnet door behind them. If that's so most vulnerable devices must already have their users locked out. A nematode that would, say, prompt the user to reboot and change the password would be somewhat more helpful to the user than leaving the device to be infected. However it's obviously going to be a race to get against the existing botnet to get to new or newly rebooted devices first. Maybe it needs to crash and reboot a device that's already infected first.

4
0
Silver badge

"prompt the user to reboot"

How? The user would only "see" anything if they go to an Administrative web page, if there is one. If the gadget uses an "App" powered by a 3rd party server, then producing such a prompt would be difficult.

1
0
Silver badge

Re: "prompt the user to reboot"

"How?"

AIUI these are telnet connections. They have a service running on port 23 that offers a login prompt for which the password is a known default. Replace that by a service running on port 23 that offers a message saying "Reboot your webcam and change the password".

1
0

Re: "prompt the user to reboot"

Why would the user be logging in via telnet? They don't even know the device is running telnet.

3
0

Re: "prompt the user to reboot"

Yeah, I don't know what the angst is, other than breaking laws. How many consumers are using telnet with these devices?

For those who are, you'd expect they'd be savvy enough to use another way to get in and reset their telnet environment, although then again, the apps that are supplied probably don't expose that configuration interface.

So, maybe an app update to allow that config to be exposed, assuming they're not using port 80 and no key exchange to do it.

SSH would be more of a conundrum, although I suppose if it's compromised, the same mitigations would apply.

0
0
Anonymous Coward

I see no problem with this.

The first bot will have clearly changed the password so the owner probably doesn't have access anyway without resetting the device manually.

The nematode will disable the first bot and change the password which the owner didn't have anyway. I would actually recommend completely disabling the device (shutdown networking as last command) as well until the owner resets it and potentially applies a patch that way at least they are aware they have a problem.

What's the alternative? Detect all vulnerable devices and send it to the IP address owners which would surely be a thankless task.

Either way at some point someone is going to have to do something.

9
0
Silver badge
Pirate

One step further

Clean the device then sit there and wait for the next attacks.

Record the IP addresses of the attackers and build your list.

Then Botnet the White calls forth the power of the Internet to slay the foul worm in its lair!

11
0
Bronze badge

"breach computer crime laws in the US, UK, and Australia"

Get GCHQ to do it then - they're in the naughty corner right now and nobody in The Establishment is going to censure them anyway,

6
0

Re: "breach computer crime laws in the US, UK, and Australia"

they're in the naughty corner right now

Their job is to be in the naughty corner.

People just don't like it when they're seen in the naughty corner.

3
0
Anonymous Coward

I would just go with bricking said IoT device(s) totally...

7
4

Brick away

Until consumers face the consequences of their poor purchase decisions nothing will change. I'd do it myself but I'd end up at Club Fed.

1
0

It's worth noting that the worm doesn't actually have the ability to change the passwords. It's not a trivial task on many of them - it needs a firmware update.

0
0

"....while any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."

I'm sorry, but GOOD. Any self respecting network/sysadmin needs to be shot in the head for leaving anything internet-facing on default admin/admin admin/password credentials, though I doubt this is anywhere near the majority included in the botnet. I would imagine 99% are home users with no clue that their device is even a part of the attack, in which case I'm all for a bit of 'white-hat hacking'. At worst, it'll mean the device in question gets some attention that would have otherwise gone un-noticed perhaps forever.

7
0
Anonymous Coward

Well I can only hope

this stops IoT dragging it's arse on the carpet, we should have never let it in the house.

9
0
Silver badge

But it looked sooo cute...

5
0
Headmaster

Anti-worm nematode

A nematode is a worm. So anti-worm worm.

1
0

I fight for the users!

1
0

Shouldn't admins bear some responsibility for some kind of good-faith effort to keep their devices secure and up to date?

I'm thinking something along the lines of ST:TNG's first-season episode, "Justice."

0
0
Silver badge

How when the average user doesn't even know such a function even exists? Most people expect turnkey solutions.

1
0
Mushroom

Unleashing the nematode

This is my new favourite phrase.

Don't make me mad. You wouldn't like me when I get mad. I may unleash the nematode!

0
0

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018