Hacker News new | past | comments | ask | show | jobs | submit login
Mirai Botnet Client, Echo Loader and CNC source code (github.com/jgamblin)
86 points by myautsai on Oct 22, 2016 | hide | past | favorite | 45 comments

This thing's strategy for finding machines to take over is so simple it's embarrassing. It tries to open an unencrypted Telnet connection to random IP addresses. If it gets a response, it tries the following username/password combinations:

    root     xc3511
    root     vizxv
    root     admin
    admin    admin
    root     888888
    root     xmhdipc
    root     default
    root     juantech
    root     123456
    root     54321
    support  support
    root     (none)
    admin    password
    root     root
    root     12345
    user     user
    admin    (none)
    root     pass
    admin    admin1234
    root     1111
    admin    smcadmin
    admin    1111
    root     666666
    root     password
    root     1234
    root     klv123
    Administrator admin
    service  service
    supervisor supervisor
    guest    guest
    guest    12345
    guest    12345
    admin1   password
    administrator 1234
    666666   666666
    888888   888888
    ubnt     ubnt
    root     klv1234
    root     Zte521
    root     hi3518
    root     jvbzd
    root     anko
    root     zlxx.
    root     7ujMko0vizxv
    root     7ujMko0admin
    root     system
    root     ikwb
    root     dreambox
    root     user
    root     realtek
    root     00000000
    admin    1111111
    admin    1234
    admin    12345
    admin    54321
    admin    123456
    admin    7ujMko0admin
    admin    1234
    admin    pass
    admin    meinsm
    tech     tech
    mother   fucker
That's it.

Deploying millions of devices with fixed passwords that dumb is clear evidence of gross negligence on the part of IoT device manufacturers. If this gets to court, some lawyer is going to enter that list as evidence and read it to a jury.

"That's the kind of combination an idiot would have on his luggage!" - Spaceballs

LOL it's missing "admin/ztonpk, admin/tzlkisonpk, telekom/telekom" which are default passwords for root access on Telekom Serbia's modems (7-8 million devices including IPTV STBs)... It's so stupid I have to use their shitty modem and can't change the pwd because they occasionally flash new firmware to it and reset everything to default, because that's how they configure the xDSL settings.

so true.

Oh crap. That has like two of my passwords in there.

Dammit, I thought we solved this 10+ years ago when home router manufacturers finally started printing unique passwords on the base of the product.

I cannot wait for some type of top-down pressure to force IoT developers to take security seriously. The movement has been pushed into overdrive thanks to insane levels of competition where you either crush your R&D into the smallest breakneck period or you live to see your creation being sold for half of what your budget can allow by other firms lifting your efforts while you're still at the workbench.[1]

I've been getting cozy with Shenzhen-based hardware accelerators for the past year as part of a personal side-venture and I have not seen a group so pressured to deliver a product as fast as possible with security being a casual afterthought. To get a decent taste of what it's like, I wholeheartedly recommend WIRED's Future Cities documentary on Shenzhen and the companies that dwell there.[2] Their struggles for ephemeral market-share are endemic of the entire community that's taken over embedded hardware for the past few years.

The saddest aspect of it all is that this market competition isn't benefiting the consumer. IoT devices are coming out of the factories poorly engineered, badly maintained for far too short of a time, and as we've learned from this attack, being used as vectors for network intrusion and distributed censorship. Even arduino founder Massimo Banzi's widely-lauded IoT Manifesto[3] fails to approach any comprehensive statement regarding a dev's responsibility to build in some level of security to their devices.

It just isn't part of the fast-and-loose culture that has been bred by trend-setting companies with unlimited budgets making bad decisions from the very start.[4] In addition, the if-you-can't-beat-'em-join-'em attitude the West has taken towards churning out hardware devices as fast as they can before jumping to the next IoT piece of junk before the ripoffs can hurt them is really disappointing as it prevents any considerable effort from going into a device pre-and-post release.

All in all, the IoT community is not going to change their priorities unless someone very powerful forces them to and it can't happen soon enough.

[1] http://qz.com/771727/chinas-factories-in-shenzhen-can-copy-p...

[2] https://www.youtube.com/watch?v=SGJ5cZnoodY (This is over an hour long but very worth it)

[3] https://create.arduino.cc/iot/manifesto/

[4] https://techcrunch.com/2014/01/06/nest-4-0-firmware-battery-... & again in 2016 http://www.nytimes.com/2016/01/14/fashion/nest-thermostat-gl... I'm not going to even touch the dropcam and IoT smoke detector.

> the IoT community

I hate this phrase. It's not like a bunch of people gathered and said "let's make shitty IoT stuff!". It's not a "community", there aren't groups around advocating against security best practices.

If anything the actual community around IoT stuff takes security more seriously than most HNers.

The problem is the companies and manufacturers that aren't part of the community.

And I take issue with your [4]. That has nothing to do with security. It was a glitch, and it happened, and I personally don't like Nest as a company very much and think they make pretty shitty products, but they take security seriously, and in a discussion about IoT security linking a non-security related software bug serves no purpose. Everything has bugs, that doesn't mean it's absolute shit when something goes wrong.

Your [3] is also incorrect. The Arduino IoT Manifesto's second point is that a dev should make sure their product can be updated, and even if it's abandoned it should be able to be repurposed in something else, or updated by someone else.

What's up with 7ujMko? That one seems really secure.

It's a simple pattern on a QWERTY keyboard. 7UJM and MKO are each on a diagonal path.

It doesn't matter how "secure" a password is if it's known. Quite a few vendors ships devices with a common factory password, stated in the manual. And people put those on ther internet.

Hardcoded in some "firmware example" supplied by the vendor, someone REd the firmware and published the password on his blog, and then it was discovered by the author(s) of this malware.

then the jury will find that offending, because 8 of them have passwords like that ;)

There is an irc snippet in the source - https://github.com/0x27/linux.mirai/blob/master/dlr/release/...

From the full mirror linked below

Glad to see these are American hackers and not Russian.

https://github.com/0x27/linux.mirai/blob/master/mirai/prompt... looks awfully Cyrillic to me, anybody know what it means?

"I love chicken nuggets"

This source is incomplete. See https://github.com/0x27/linux.mirai for a full mirror of the release.


Question for the C folks. The author seems to have reimplemented functions such as strlen, memcpy, and atoi in 'bot/util.h' instead of using the stdlib. Anyone know why?


Because you cannot rely on some chintzy IoT device to have dynamically loadable libraries. In all likelihood, they don't. But let's assume they do have loadable stdlib, would would you trust the integrity of your botnet to dozens of poorly designed IoT devices?

You can statically link the binary you build, doesnt mean you need to reimplement.

But it is easier to copy/paste those few functions rather than play with static libc and then making sure all the other functions don't get linked into the final binary.

Don't most of these IoT devices usually run Linux though?

Sure, but many of them only contains a static busybox binary and no libc.

Remember that this target IoT devices, where diversity is much higher than it would be for desktops or servers. the build scripts shows the targeted architectures:

i586 mips mipsel armv4l armv5l armv6l powerpc sparc m68k sh4

I believe not all embedded systems have the c stdlib.

Not the reason. Especially when the author includes headers like: #include <stdlib.h> #include <unistd.h> #include <sys/socket.h> #include <arpa/inet.h> #include <linux/ip.h> #include <linux/udp.h> #include <errno.h> #include <fcntl.h>

Could someone please illustrate a concrete example of how having the password to my camera (assuming it has an routing through NAT) can be used to generate outbound traffic?

I have five cameras set up with NAT port holes. My passwords are (I believe) secure. But even if they were on the list, how could that be used to generate outbound traffic to DDoS someone? Presumably, only by a further vulnerability in the firmware.

In all the media / HN coverage, even with the release of Mirai source, I have yet to see a concrete example of a brand/model of camera/DVR who's firmware is exploitable. Let alone a list of models that are.

One exception: The D-Link DCS-930L[1] has a known vulnerability.

[1]: https://www.exploit-db.com/exploits/39437/

Edit: Okay, if you can get in on telnet, then nevermind; you're p0wned. But if you're a webcam on port 8080, what is the attack vector?

I'm just happy to see that kids these days still say "greetz" in their github/BBS posts these days.

Or maybe this is a greybeard hacker?

The IoT devices can be accessed over telnet. Out of curiosity: Is there a self destruct command? or a way to make one?

It seems to me that destroying the vulnerable devices would solve the DDoS problem and gives a big kick in the face of the affected manufacturers plus a good press coverage.

This was my exact thought. If we have the source code, it seems as if it wouldn't be too hard to make our own version which seeks and destroys other versions, possibly patching the system, or at least changing the password to be something secure.

Is there a reason this can't be done? (Other than a legal reason, which hackers don't tend to care too much about.)

What does "CNC" stand for in this context?

Command and control

The whole focus on IOT and random individual devices on the network seems misplaced. If all it takes is misconfiguration of random devices that join the network to take it down then you have a larger problem than these devices.

Since there is no way to police this and 'wack a mole' for billions of devices is not a practical strategy this security focus on IOT devices while nice does not address the core problem of vulnerable networks and ddos. It distracts and diverts from it.

True, but there's conversely a whole bunch of problems associated with the scandalous lack of security wrt many IoT devices, that aren't anything to do with DDoS. I wonder how many people are being watched as we speak.

Is there a page somewhere that maps these passwords to corresponding devices? Essentially a list of what devices are affected by this botnet? I don't think anything I own is affected, and I monitor my network pretty closely, but would like to double check. And make sure not to buy any of them either.

So this was dumped 20 days ago, and now we've got a fairly large outage taking place.

In other words, it could have been anyone?

Misdirection? Maybe that is what we are meant to think.

Would it be illegal to innoculate IoT devices by forking Mirai and then changing each vulnerable device's default password to a random choice of high entropy?

IANAL, but I'm pretty sure the answer to that is "yes". It would set a terrible precedent by authorising vigilantism, and I'm not sure how you would define "vulnerable" under the law.

Doesn't this brick the device from the user's perspective?

In many cases, sure, but there is usually an easy way to reset such a device back to its factory defaults.

I think the headline there, "Mirai Botnet Client, Echo Loader and CNC source code", is more descriptive and suitable than the current title.

"Mirai" is a rather generic name; for a moment I was wondering if it was related to the https://en.wikipedia.org/wiki/Toyota_Mirai ...but it did make me click to find out.

What is the origin of the name?

I assumed (guessed) it was the last name of the "father of the internet" on Japan.

Mirai means future.

Applications are open for YC Winter 2022

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact