
Mirai Botnet Client, Echo Loader and CNC source code - myautsai
https://github.com/jgamblin/Mirai-Source-Code
======
Animats
This thing's strategy for finding machines to take over is so simple it's
embarrassing. It tries to open an unencrypted Telnet connection to random IP
addresses. If it gets a response, it tries the following username/password
combinations:

    
    
        root     xc3511
        root     vizxv
        root     admin
        admin    admin
        root     888888
        root     xmhdipc
        root     default
        root     juantech
        root     123456
        root     54321
        support  support
        root     (none)
        admin    password
        root     root
        root     12345
        user     user
        admin    (none)
        root     pass
        admin    admin1234
        root     1111
        admin    smcadmin
        admin    1111
        root     666666
        root     password
        root     1234
        root     klv123
        Administrator admin
        service  service
        supervisor supervisor
        guest    guest
        guest    12345
        guest    12345
        admin1   password
        administrator 1234
        666666   666666
        888888   888888
        ubnt     ubnt
        root     klv1234
        root     Zte521
        root     hi3518
        root     jvbzd
        root     anko
        root     zlxx.
        root     7ujMko0vizxv
        root     7ujMko0admin
        root     system
        root     ikwb
        root     dreambox
        root     user
        root     realtek
        root     00000000
        admin    1111111
        admin    1234
        admin    12345
        admin    54321
        admin    123456
        admin    7ujMko0admin
        admin    1234
        admin    pass
        admin    meinsm
        tech     tech
        mother   fucker
    

That's it.

Deploying millions of devices with fixed passwords that dumb is clear evidence
of gross negligence on the part of IoT device manufacturers. If this gets to
court, some lawyer is going to enter that list as evidence and read it to a
jury.

 _" That's the kind of combination an idiot would have on his luggage!"_ \-
Spaceballs

~~~
tomjen3
What's up with 7ujMko? That one seems really secure.

~~~
duskwuff
It's a simple pattern on a QWERTY keyboard. 7UJM and MKO are each on a
diagonal path.

------
yyyyyyyyyyyy
There is an irc snippet in the source -
[https://github.com/0x27/linux.mirai/blob/master/dlr/release/...](https://github.com/0x27/linux.mirai/blob/master/dlr/release/.build)

From the full mirror linked below

~~~
ianhawes
Glad to see these are American hackers and not Russian.

~~~
peller
[https://github.com/0x27/linux.mirai/blob/master/mirai/prompt...](https://github.com/0x27/linux.mirai/blob/master/mirai/prompt.txt)
looks awfully Cyrillic to me, anybody know what it means?

~~~
milankragujevic
"I love chicken nuggets"

------
Jeraimee
This source is incomplete. See
[https://github.com/0x27/linux.mirai](https://github.com/0x27/linux.mirai) for
a full mirror of the release.

~~~
Cyph0n
Thanks.

Question for the C folks. The author seems to have reimplemented functions
such as strlen, memcpy, and atoi in 'bot/util.h' instead of using the stdlib.
Anyone know why?

[https://github.com/0x27/linux.mirai/blob/master/mirai/bot/ut...](https://github.com/0x27/linux.mirai/blob/master/mirai/bot/util.h)

~~~
yes_or_gnome
Because you cannot rely on some chintzy IoT device to have dynamically
loadable libraries. In all likelihood, they don't. But let's assume they do
have loadable stdlib, would would you trust the integrity of your botnet to
dozens of poorly designed IoT devices?

~~~
justincormack
You can statically link the binary you build, doesnt mean you need to
reimplement.

~~~
viraptor
But it is easier to copy/paste those few functions rather than play with
static libc and then making sure all the other functions don't get linked into
the final binary.

------
creeble
Could someone please illustrate a concrete example of how having the password
to my camera (assuming it has an routing through NAT) can be used to generate
outbound traffic?

I have five cameras set up with NAT port holes. My passwords are (I believe)
secure. But even if they were on the list, how could that be used to generate
outbound traffic to DDoS someone? Presumably, only by a further vulnerability
in the firmware.

In all the media / HN coverage, even with the release of Mirai source, I have
yet to see a concrete example of a brand/model of camera/DVR who's firmware is
exploitable. Let alone a list of models that are.

One exception: The D-Link DCS-930L[1] has a known vulnerability.

[1]: [https://www.exploit-db.com/exploits/39437/](https://www.exploit-
db.com/exploits/39437/)

Edit: Okay, if you can get in on telnet, then nevermind; you're p0wned. But if
you're a webcam on port 8080, what is the attack vector?

------
scurvy
I'm just happy to see that kids these days still say "greetz" in their
github/BBS posts these days.

Or maybe this is a greybeard hacker?

------
user5994461
The IoT devices can be accessed over telnet. Out of curiosity: Is there a self
destruct command? or a way to make one?

It seems to me that destroying the vulnerable devices would solve the DDoS
problem and gives a big kick in the face of the affected manufacturers plus a
good press coverage.

~~~
christophilus
This was my exact thought. If we have the source code, it seems as if it
wouldn't be too hard to make our own version which seeks and destroys other
versions, possibly patching the system, or at least changing the password to
be something secure.

Is there a reason this can't be done? (Other than a legal reason, which
hackers don't tend to care too much about.)

------
dimino
[https://raw.githubusercontent.com/0x27/linux.mirai/master/po...](https://raw.githubusercontent.com/0x27/linux.mirai/master/post.txt)

This explains how it's used, etc.

------
adrianratnapala
What does "CNC" stand for in this context?

~~~
MasterIdiot
Command and control

------
throw2016
The whole focus on IOT and random individual devices on the network seems
misplaced. If all it takes is misconfiguration of random devices that join the
network to take it down then you have a larger problem than these devices.

Since there is no way to police this and 'wack a mole' for billions of devices
is not a practical strategy this security focus on IOT devices while nice does
not address the core problem of vulnerable networks and ddos. It distracts and
diverts from it.

~~~
oneeyedpigeon
True, but there's conversely a whole bunch of problems associated with the
scandalous lack of security wrt many IoT devices, that aren't anything to do
with DDoS. I wonder how many people are being watched as we speak.

------
Bedon292
Is there a page somewhere that maps these passwords to corresponding devices?
Essentially a list of what devices are affected by this botnet? I don't think
anything I own is affected, and I monitor my network pretty closely, but would
like to double check. And make sure not to buy any of them either.

------
dimino
So this was dumped 20 days ago, and now we've got a fairly large outage taking
place.

In other words, it could have been anyone?

~~~
blackguardx
Misdirection? Maybe that is what we are meant to think.

------
chowyuncat
Would it be illegal to innoculate IoT devices by forking Mirai and then
changing each vulnerable device's default password to a random choice of high
entropy?

~~~
omni
Doesn't this brick the device from the user's perspective?

~~~
chowyuncat
In many cases, sure, but there is usually an easy way to reset such a device
back to its factory defaults.

------
userbinator
I think the headline there, "Mirai Botnet Client, Echo Loader and CNC source
code", is more descriptive and suitable than the current title.

"Mirai" is a rather generic name; for a moment I was wondering if it was
related to the
[https://en.wikipedia.org/wiki/Toyota_Mirai](https://en.wikipedia.org/wiki/Toyota_Mirai)
...but it did make me click to find out.

~~~
konceptz
What is the origin of the name?

I assumed (guessed) it was the last name of the "father of the internet" on
Japan.

~~~
forthefuture
Mirai means future.

