Malware Hunts And Kills Poorly Secured Internet Of Things Devices Before They Can Be Integrated Into Botnets

from the battle-of-the-brick dept

Researchers say they've discovered a new wave of malware with one purpose: to disable poorly secured routers and internet of things devices before they can be compromised and integrated into botnets. We've often noted how internet-of-broken-things devices ("smart" doorbells, fridges, video cameras, etc.) have such flimsy security that they're often hacked and integrated into botnets in just a matter of seconds after being connected to the internet. These devices are then quickly integrated into botnets that have been responsible for some of the worst DDoS attacks we've ever seen (including last October's attack on DYN).

And most security researchers firmly believe we haven't seen anything yet.

Enter PDoS (permanent denial of service) attack bots, which scan the internet for routers with default, unchanged passwords, or "smart" doorbells, dolls or other devices with paper-mache grade security. From there, PDoS attack bots issue a series of commands that wipe device media, corrupt all storage, and disconnect the device from the internet. Last month, researchers from security firm Radware set up an intentionally poorly-secured honeypot that they say saw roughly 2,250 PDoS attempts during just a four-day span.

The lion's share of these attacks came from two botnets dubbed BrickerBot.1 and BrickerBot.2 -- with nodes busily bricking poorly-secured devices around the world. Initially researchers say they thought that somebody crafted malware specifically to tackle the IOT threat. But given the broad targeting of the botnets (including server-attached storage devices), they also think it's possible that the goal may just be good, old, vanilla mayhem:

"When I discovered the first BrickerBot, I thought it was a drastic attempt to stop the IoT Botnet DDoS threat," Radware researcher Pascal Geenens told Ars. "I thought this was a competitor hacker who wanted to take out his competition and get access to the list of IP [addresses] of bots that were in the competitor's botnet. But upon discovery of the second BrickerBot this theory changed, as the second one is targeting any Linux-based system—not only embedded, BusyBox-based Linux with flash storage. What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?"

As it stands, BrickerBot.2 can only access machines that feature default administrative passwords and have the telnet protocol enabled, limiting the overall potential impact. Regardless, the end result still isn't pleasant for those on the receiving end of a BrickerBot.2 attack:

"...In addition to corrupting the storage device, BrickerBot.2 wipes all stored files, removes the default Internet gateway, disables TCP timestamps, and limits the maximum number of kernel threads to just one. That all but ensures that most damaged devices won't be restored without a major undertaking. Radware has more details about the attacks here."

It's still entirely possible the goal here is to actually help the internet by killing poorly-secured hardware before they can be conscripted into the shitshow that is the internet of things. After all, BrickerBot.2 appears to be an evolution of the Linux.Wifatch malware, which first appeared in October 2015. It seems more than likely that additional malware strains taking cues from the Mirai malware will inevitably appear in the wild, the goal potentially being not necessarily mayhem -- but preventing the massive, crippling DDoS attacks most security experts feel are inevitable in the next year or two.

The problem (aside from this being illegal and destructive) is that the type of person that's likely to go out and purchase a poorly-secured "gee whiz" IOT device or router without considering security -- is the same type of person that's not going to understand why that device just stopped working for no coherent reason. As a result, they're likely to rush out and buy another, poorly-secured device, bringing the incompetence full circle with a zero net gain. As such, Security expert Victor Gevers is urging malware authors like this to consider a more constructive path toward the same end goal:

"These attacks are very easy to execute, and I think this just the beginning," (Gevers) told Bleeping Computer. "I don't want to label this work as dark, but I think there are less destructive ways to achieve the same goal." "Instead of bricking you could also allow the devices to still work and just patch the vulnerability. This requires a bit more finesse."

Granted an even better solution? Stop selling (and buying) hardware with paper-mache grade security in the first place.

Filed Under: botnets, iot, malware, patching, security

Sheldon Whitehouse Freaks Out, Blames 'Pro-Botnet Lobby' For Rejecting His Terrible CFAA Amendment

from the the-pro-botnet-lobby-is-here dept

As we mentioned yesterday, one of the (many) bad things involved in the new Senate attempt to push the CISA "cybersecurity" bill forward was that they were including a bad amendment added by Senator Sheldon Whitehouse that would expand the terrible Computer Fraud and Abuse Act, a law that should actually be significantly cut back. Senator Ron Wyden protested this amendment specifically in his speech against CISA. And, for whatever reason, Whitehouse's amendment has been pulled from consideration and Whitehouse is seriously pissed off about it.

He went on the Senate floor to directly whine about it, even sarcastically calling out the "hidden pro-botnet, pro-foreign cyber criminal caucus" that somehow fought against the bill. Except it wasn't a "pro-botnet" anyone who killed the amendment. It was a lot of people who were quite reasonably concerned about what the amendment would do to the CFAA. And while it's true that Whitehouse improved the amendment from its originally really terrible state, it still was a bad amendment. Whitehouse goes on and on in has rant about who could possibly be "against" shutting down botnets or raising penalties for hacking into critical infrastructure, citing that "law enforcement" supports the bill. But, of course, that leaves out the other side entirely. And that's not the "pro-botnet, pro-foreign cyber criminal" caucus, but rather people who are well aware of how the CFAA has regularly been abused by law enforcement to bring charges against non-criminals, or to pile on charges on those committing minor offenses. Expanding all of that without stopping the potential for abuse only means the bill will be abused further.

Whitehouse continues to make a name for himself as one of the most technologically illiterate members of the Senate. Late last year he went on a rant about a totally made up Google search (the results did not show what he claimed they showed) and an equally made up Pirate Bay whose actual site did not show what Whitehouse pretended it showed. He also was strongly in favor of backdooring encryption, arguing that if Apple doesn't backdoor encryption, perhaps it will be opening itself up to a lawsuit when the FBI can't track down a kidnapper (ignoring all the times that such encryption would actually protect people). This push to expand the CFAA and then whining about pushback on the Senate floor is only adding to his reputation as one of the most anti-tech industry Senators out there.

And, of course, for all the show on the floor, it's not like the Amendment is dead anyway. As Marcey Wheeler notes in her post (linked above), there's still a good chance that his CFAA amendment will be brought back into the bill when the House and Senate conference to resolve differences in the bills across houses.

Filed Under: botnet caucus, botnets, cfaa, cisa, cybersecurity, hacking, sheldon whitehouse

FBI Hijacks Botnet, With Court Order... Then Issues Kill Signal To Millions Of Computers

from the good-samirtan-hacking? dept

For years there's been talk about the value of "good samaritan" viruses or botnets, that would go out and try to delete or kill of "bad" viruses or botnets. Lots of computing experts have, reasonably, warned that the unintended consequences of such an action could be large and dangerous. Apparently, the FBI figures, why not test it out anyway? In a rather surprising move, the FBI was able to get a court order that allowed it to effectively hijack a large botnet, involving millions of computers, and send a "stop" command to all of those PCs that would disable the malware (called Coreflood).

While there are obviously good intentions here, and it's definitely a good thing to see a large malicious botnet go dark, there still are really serious concerns about this move, the legality of the move, and the risk of unintended consequences. Do we really want to set a precedent where the FBI can send commands remotely to millions of computers? And how confident are people that the FBI's programming skills won't cause problems, if not this time, at some point in the future? In the filing requesting the right to do this, the FBI even pointed out that a newer version of Coreflood had been released that morning "but that the FBI had tested the kill command against that variant and it had worked successfully." Of course, testing in the lab and deploying to millions of machines in the real world is entirely different. There are also concerns that this is an ongoing effort, since Coreflood apparently reruns every time a machine is rebooted, meaning that the FBI will have to keep sending this kill signal. And while the FBI swears up and down "that this would cause no harm to computers," how confident are you that this is really the case?

Again, I recognize the importance of trying to stop botnets and take them down. Additionally, there don't appear to be any early reports of trouble or unintended consequences from this move. But... when dealing with something like this, where the FBI is sending execution commands to millions of PCs, you have to assume that sooner or later, something bad is going to happen. Does the FBI have a technical support helpdesk to help your grandparents when it kills their computer?

Filed Under: botnets, coreflood, fbi, hijack

Did The BBC Break The Law By Exposing Botnets?

from the but-we-didn't-mean-any-harm dept

A TV show on the BBC is highlighting the ongoing problem of botnets -- by acquiring one of its own and using other people's computers in it to mount a DDOS attack on a security company's web site. The BBC says it had the security company's approval to do so, and that it didn't have any criminal intent, making its action legal. But some people aren't so sure, and say that intent doesn't offer a way out under British computer law. A tech lawyer says it's unlikely the broadcaster will face prosecution because there wasn't any real harm done, but those whose computers were used in the attack might disagree and view the methods used to make a point about computer security as a bit extreme.

Filed Under: botnets
Companies: bbc

Washington Post Story Convinces Service Providers To Pull The Plug On Major Spam Enabler

from the but-where-do-they-go dept

We're seeing a bunch of folks pointing out that evidence collected by the Washington Post's computer security writer, Brian Krebs, is basically responsible for getting that company kicked off the internet. Krebs is a fantastic reporter, so I don't doubt the story -- but I'm always a little skeptical of stories claiming that a huge percentage of spammers have been knocked offline. We see such stories every few months, and it never seems to have any real impact on the amount of spam out there. Just last month there was a report claiming that the world's largest spam operation was shut down, but the actual amount of spam flowing across the network did not decrease.

This case is a little different, in that it didn't shut down the spammers themselves, but rather a hosting company that apparently many of the largest zombie botnets relied on. However, it seems quite likely that they'll find some other hosting company that will gladly take them on and everything will be up and running again. That's not to say it's bad that these guys get taken down -- but at some point people should realize this seems like a big game of whack-a-mole, and there may be better, more efficient ways to tackle the problem.

Filed Under: botnets, hosting, shut down, spam, spam ring
Companies: mccolo, washington post

Huge Spam Ring Shut Down... But Will It Make A Difference?

from the we'll-see dept

Every so often, we see a random news story about authorities somehow arresting or shutting down some huge spam ring, and every time the articles are peppered with quotes about just how big the operation is and how much spam they send out. And, yet, every time, it never seems to do very much to dent the amount of spam that's being sent. So, again, with this week's big spam bust, all the numbers and explanations sound impressive. 35,000 computers in a botnet. Able to send 10 billion (billion, with a b) spam messages per day. The leading source of spam online in January (what, only January?). These all sound impressive, but the real question should be whether or not this does anything to decrease spam. Or will others just as quickly jump in to fill the breach?

Filed Under: botnets, shut down, spam, spam ring

Botnet vs. Botnet: Can A Good Botnet Block A Bad One?

from the battle-of-the-botnets dept

Last year we wrote about how rival online scammer gangs had their botnets fighting each other by disabling trojans of competing botnets on their computers -- but it appears that some researchers have a different idea for creating a "good" botnet to fight the "bad" botnets being used for denial of service attacks (found via Slashdot). This is quite different than some older proposals to create "good worms" that go about automatically patching infected machines (which are wide open to abuse). Instead, the idea is rather creative. It involves setting up a distributed system of computers that effectively act as a way station for connect requests -- which then wait for the actual server to request the inbound requests. This prevents the server from being overloaded (though, I would imagine it could slow down access somewhat). Either way, it's nice to see efforts under way to stop such zombie botnets. Hopefully someone isn't sitting on a patent for such an idea and waiting to sue, like we've seen with other security measures.

Filed Under: botnets, denial of service, zombies

Is It A Good Idea To Violate The Security Of Your Customers If They're Security Ignorant?

from the asking-for-serious-trouble dept

Rich Kulawiec writes in to point out that security expert Dan Geer is suggesting that merchants violate the security of customers they deem as security risks. His argument is, basically, that there are two types of users out there: those who respond "yes" to any request -- and therefore are likely to be infected by multiple types of malware doing all sorts of bad things -- and those who respond "no" to any request, who are more likely to be safe. Thus, Geer says merchants should ask users if they want to connect over an "extra special secure connection," and if they respond "yes," you assume that they respond yes to everything and therefore are probably unsafe. To deal with those people, Geer says, you should effectively hack their computer. It won't be hard, since they're clearly ignorant and open to vulnerabilities -- so you just install a rootkit and "0wn" their machine for the duration of the transaction.

As Kulawiec notes in submitting this: "Maybe he's just kidding, and the sarcasm went right over my (caffeine-starved) brain. I certainly hope so, because otherwise there are so many things wrong with this that I'm struggling to decide which to list first." Indeed. I'm not sure he's kidding either, but the unintended consequences of violating the security of someone's computer, just because you assume they've been violated previously are likely to make things a lot worse. This seems like a suggestion that could have the same sort of negative unintended consequences as the suggestion others have made about creating "good trojans" that go around automatically closing the security holes and stopping malware by using the same techniques employed by the malware. Both are based on the idea that people are too stupid to cure themselves, and somehow "white hat" hackers can help fix things. Now, obviously, plenty of people do get infected -- but using that as an excuse to infect them back, even for noble purposes, is only going to create more problems in the long run. Other vulnerabilities will be created and you're trusting these "good" hackers to do no harm on top of what's been done already, which is unlikely to always be the case. No, security will never be perfect and some people will always be more vulnerable -- but that shouldn't give you a right to violate their security, even if for a good reason.

Filed Under: botnets, computers, dan geer, rootkits, security, vulnerabilities

Do ISPs Ignore Security Researchers Who Point Out Zombied Machines?

from the not-such-a-good-thing dept

Over the last few years, we've all heard stories about how organized crime groups have taken to using botnets of "zombied" computers to run all sorts of scams and spam campaigns. ISPs have been somewhat slow to react. While they try to use fairly blunt instruments, like cutting off certain ports, many don't seem to have a very good process in place for tracking down and stopping customers whose machines have become unwitting members in a botnet. In fact, security researchers are growing frustrated that when they come across evidence of a hijacked computer, ISPs don't respond at all when told that a customer is causing trouble. There certainly are a few ISPs that are careful to help get rid of botnets, doing things like quarantining or cutting off certain users from their internet access until their machines are cleaned up, but most of the bigger ISPs don't appear to do very much at all. Of course, there is the other side of this story -- which is that when ISPs may be too proactive, it can often snag people whose machines aren't actually doing anything wrong. But, it certainly seems like completely ignoring reports with evidence of a botnet may be going to the opposite extreme.

Filed Under: botnets, isps, zombies