back to article Boffin's anti-worm bot could silence epic Mirai DDoS attack army

A GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm "nematode" that could help to patch vulnerable devices used in the massive Mirai distributed denial of service attack. The nematode, a concept detailed by security man Dave Aitel [PDF], would fight back against the …

  1. Voland's right hand Silver badge

    Sci Fi has become a reality

    Time to re-read the Snow Crash.

    1. Mage Silver badge

      Re: Sci Fi has become a reality

      "Snow Crash"? That's 1992. The Internet is older than that and Websites were appearing that year.

      Ha, it was in Brunner's "Shockwave Rider" 1975.

      "tapeworms", remote hacking, fake identities, Ritalin type drugging of the population.

  2. Ole Juul

    go for it

    And break every computer crime law along the way

    Not sure I care about that at the moment. Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

    1. Phil O'Sophical Silver badge

      Re: go for it

      Why not get the ISPs to run it, and when it finds an infected or insecure device it just disconnects the user and changes the ISP login credentials so that the user isn't able to reestablish a basic DSL or cable connection. That isn't interfering with the user's device at all. User has to call the ISP hell desk to get it fixed, and they can be told what they should disconnect. If they say no, they remain locked out. Put it in the ISP Ts&Cs and it'll be legal enough.

      1. Bronek Kozicki Silver badge

        Re: go for it

        Not sufficient - client will simply move to another ISP, until all users who can't be bothered will move onto these ISPs who can't be bothered either. Which will reduce amount of money available to ISPs who do care. Either this is mandated behaviour (so the ISPs who do not care get punished, e.g. disconnected from upstream) or forget about it.

        1. Mark 85 Silver badge

          Re: go for it

          Not sufficient - client will simply move to another ISP

          Not here in the States they won't. The ISP's have pretty much a monopoly based on geography. The only real way to change ISP is to move.. sometimes several hundred miles away.

          1. Charles 9 Silver badge

            Re: go for it

            I don't know. Most places have at least one telephone-based ISP and one cable-based ISP, meaning competition DOES exist since the two firms are usually crossing into each other's turf, making them bitter rivals. For example, in my area Cox and Verizon have to keep honest because both offer the same stuff (TV, phone, and internet).

      2. Known Hero

        Re: go for it

        I do think this is a very good way to resolve it, but ... then you are making the ISP's responsible for your traffic, not sure I like that alternative either.

        They deem certain traffic undesirable .... Bye bye connection

        1. Doctor Syntax Silver badge

          Re: go for it

          "They deem certain traffic undesirable .... Bye bye connection"

          Some of them do it already. They call it traffic shaping. I had that happen when my ISP got taken over by another with a somewhat repetitive name. The traffic got shaped out of existence.

      3. SImon Hobson Silver badge

        Re: go for it

        Why not get the ISPs to ...

        Because no ISP is going to commit suicide voluntarily.

        I pay what I consider to be a reasonable amount to get internet from a reliable ISP, offers fixed IP address if you want it, and so on. Many I know do not look past the "sticker price" and will even switch ISPs regularly to get their special offers - some of which have to be well below cost !

        If an ISP were to police it's users, then it'll be faced with lots of angry customers clogging up the helldesk with "my internet's broke" queries and having to have things explained to them in one syllable words. Most of these users won't know or care about "space science" like telnet and such - they'll just want their FarceBork back, and they certainly won't accept having to turn off that wizzy new gadget they've just bought.

        So as Bronek Kozicki says, either all ISPs in a region have to do it - or non of them can afford to do it.

        A shame really, because it's the only way this problem will be solved.

        1. Anonymous Coward
          Anonymous Coward

          Re: go for it

          "Because no ISP is going to commit suicide voluntarily."

          Virgin Media in the UK do it already, or at least claim to, subcontracting a third party to scan for vulnerabilities on customer's networks.

          I am in favour of doing that. Anything which helps keep me safe is good for me, them and everyone. I regularly probe my systems from outside to look for issues and if they want to join in with that I am happy to let them.

          The downside is that ISPs can abuse and milk their customers by claiming they have found an issue and asking the customer to pay for premium support to get that resolved. Some say Virgin Media are doing exactly that - scamming customers by claiming a vulnerability has been found when there is no evidence of any such vulnerability.

    2. waldo kitty
      Facepalm

      Re: go for it

      Not sure I care about that at the moment. Currently getting 40K queries per minute on one server and that's getting a bit tiresome.

      surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??

      BTW: your account on my BBS is still good ;)

      1. Ole Juul

        Re: go for it

        "surely you have an IDS/IPS in place to detect MIRAI and its variants (MEMES is a recent discovery) and drop their connections in the crapper... why let that stuff even get in the front door when you can stop it at the perimeter??"

        You've making an assumption about the kind of server. I drop responses for repeat queries and that works quite well, but dropping connections from seemingly random and continually changing IPs would result in blocking legitimate queries. Also, thanks for keeping my account going. :)

  3. Pen-y-gors Silver badge

    Bright idea

    and next off, the Mirai code gets updated with the nematode code, so that it locks the administrator out, so only a factory reset will work - taking us back to the old admin/admin password.

    What a jolly clever idea. What could possibly go wrong etc...Won't someone think of the children?

    1. Doctor Syntax Silver badge

      Re: Bright idea

      "and next off, the Mirai code gets updated with the nematode code, so that it locks the administrator out"

      AIUI it already does that, otherwise it would be easy for someone to log in and de-worm the device. It sounds like the nematode is the worm without the nasty payload.

  4. Doctor Syntax Silver badge

    "any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."

    According to previous articles (a) vulnerable devices are attacked within minutes of going online and (b) the attacks usually close the telnet door behind them. If that's so most vulnerable devices must already have their users locked out. A nematode that would, say, prompt the user to reboot and change the password would be somewhat more helpful to the user than leaving the device to be infected. However it's obviously going to be a race to get against the existing botnet to get to new or newly rebooted devices first. Maybe it needs to crash and reboot a device that's already infected first.

  5. Mage Silver badge

    "prompt the user to reboot"

    How? The user would only "see" anything if they go to an Administrative web page, if there is one. If the gadget uses an "App" powered by a 3rd party server, then producing such a prompt would be difficult.

    1. Doctor Syntax Silver badge

      Re: "prompt the user to reboot"

      "How?"

      AIUI these are telnet connections. They have a service running on port 23 that offers a login prompt for which the password is a known default. Replace that by a service running on port 23 that offers a message saying "Reboot your webcam and change the password".

      1. cybergibbons

        Re: "prompt the user to reboot"

        Why would the user be logging in via telnet? They don't even know the device is running telnet.

        1. Trixr Bronze badge

          Re: "prompt the user to reboot"

          Yeah, I don't know what the angst is, other than breaking laws. How many consumers are using telnet with these devices?

          For those who are, you'd expect they'd be savvy enough to use another way to get in and reset their telnet environment, although then again, the apps that are supplied probably don't expose that configuration interface.

          So, maybe an app update to allow that config to be exposed, assuming they're not using port 80 and no key exchange to do it.

          SSH would be more of a conundrum, although I suppose if it's compromised, the same mitigations would apply.

  6. Anonymous Coward
    Anonymous Coward

    I see no problem with this.

    The first bot will have clearly changed the password so the owner probably doesn't have access anyway without resetting the device manually.

    The nematode will disable the first bot and change the password which the owner didn't have anyway. I would actually recommend completely disabling the device (shutdown networking as last command) as well until the owner resets it and potentially applies a patch that way at least they are aware they have a problem.

    What's the alternative? Detect all vulnerable devices and send it to the IP address owners which would surely be a thankless task.

    Either way at some point someone is going to have to do something.

  7. David Roberts Silver badge
    Pirate

    One step further

    Clean the device then sit there and wait for the next attacks.

    Record the IP addresses of the attackers and build your list.

    Then Botnet the White calls forth the power of the Internet to slay the foul worm in its lair!

  8. Flywheel Silver badge

    "breach computer crime laws in the US, UK, and Australia"

    Get GCHQ to do it then - they're in the naughty corner right now and nobody in The Establishment is going to censure them anyway,

    1. Dr Scrum Master

      Re: "breach computer crime laws in the US, UK, and Australia"

      they're in the naughty corner right now

      Their job is to be in the naughty corner.

      People just don't like it when they're seen in the naughty corner.

  9. Anonymous Coward
    Anonymous Coward

    I would just go with bricking said IoT device(s) totally...

    1. IT Poser

      Brick away

      Until consumers face the consequences of their poor purchase decisions nothing will change. I'd do it myself but I'd end up at Club Fed.

  10. cybergibbons

    It's worth noting that the worm doesn't actually have the ability to change the passwords. It's not a trivial task on many of them - it needs a firmware update.

  11. Adam JC

    "....while any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access."

    I'm sorry, but GOOD. Any self respecting network/sysadmin needs to be shot in the head for leaving anything internet-facing on default admin/admin admin/password credentials, though I doubt this is anywhere near the majority included in the botnet. I would imagine 99% are home users with no clue that their device is even a part of the attack, in which case I'm all for a bit of 'white-hat hacking'. At worst, it'll mean the device in question gets some attention that would have otherwise gone un-noticed perhaps forever.

  12. Anonymous Coward
    Anonymous Coward

    Well I can only hope

    this stops IoT dragging it's arse on the carpet, we should have never let it in the house.

  13. allthecoolshortnamesweretaken

    But it looked sooo cute...

  14. foo_bar_baz
    Headmaster

    Anti-worm nematode

    A nematode is a worm. So anti-worm worm.

  15. John 104

    I fight for the users!

  16. Bucky 2

    Shouldn't admins bear some responsibility for some kind of good-faith effort to keep their devices secure and up to date?

    I'm thinking something along the lines of ST:TNG's first-season episode, "Justice."

    1. Charles 9 Silver badge

      How when the average user doesn't even know such a function even exists? Most people expect turnkey solutions.

  17. Charlie van Becelaere
    Mushroom

    Unleashing the nematode

    This is my new favourite phrase.

    Don't make me mad. You wouldn't like me when I get mad. I may unleash the nematode!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019