Mirai Botnet vs IoT: The “Internet of Things”

Wikipedia defines Internet of Things as:

Internet_of_Things

Image by: Wikipedia

The Internet of things (IoT) is the inter-networking of physical devices, vehicles (also referred to as “connected devices” and “smart devices”), buildings, and other items embedded with electronics, software, sensors, actuators, and network connectivity which enable these objects to collect and exchange data.

It’s basically any object that is connected to the internet. It can be anything from your smart phone, your fitbit, your CCTV Camera, DVR, or your home wi-fi router.

Most of the owners don’t bother changing the default username and passwords. In in many cases, default usernames and passwords are just too easy to guess. The most common ones are admin:admin, admin:password, admin/<blank>, admin:0000, user:user, root:12345 and support:support

This well-known vulnerability has become an easy target for exploitation.  Millions of devices has become susceptible to attack where attackers can easily gain access to these devices and add them to a botnet of IoT equipment which can serve as an instrument for a DDOS (Distributed-Denial-Of-Service) on a particular victim network.

Mirai Botnet scans on port 23/2323 and 7547*  and uses a brute force technique for guessing passwords based on the following list:

  • root xc3511
    root vizxv
    root admin
    admin admin
    root 888888
    root xmhdipc
    root default
    root juantech
    root 123456
    root 54321
    support support
    root (none)
    admin password
    root root
    root 12345
    user user
    admin (none)
    root pass
    admin admin1234
    root 1111
    admin smcadmin
    admin 1111
    root 666666
    root password
    root 1234
    root klv123
    Administrator admin
    service service
    supervisor supervisor
    guest guest
    guest 12345
    guest 12345
    admin1 password
    administrator 1234
    666666 666666
    888888 888888
    ubnt ubnt
    root klv1234
    root Zte521
    root hi3518
    root jvbzd
    root anko
    root zlxx.
    root 7ujMko0vizxv
    root 7ujMko0admin
    root system
    root ikwb
    root dreambox
    root user
    root realtek
    root 00000000
    admin 1111111
    admin 1234
    admin 12345
    admin 54321
    admin 123456
    admin 7ujMko0admin
    admin 1234
    admin pass
    admin meinsm
    tech tech
    mother f**er [censored]

On port TCP 7547*  – i find a lot of instance of home and business-grade modems has this port open, I once talked to an Australian ISP and they themselves are unable to tell me exactly what this port is used for, or why are they open. The easiest excuse they told me is this port is “reserved” for remote management. Which by that purpose itself is a dangerous vulnerability. 😦 The option they gave us to mitigate the vulnerability was to replace that basic modem with a commercial-grade firewall that will shouldered by the customer.

However, once Mirai gain access to the device, the botnet code is not store on the device and can be purged once the infected device is restarted. Well, that’s good news, atleast. But, a more resilient and robust IoT botnet n the coming months can be expected with the rise of popularity and widespread use of IoT and lack of awareness for its users getting rid of the default usernames and to secure the credentials which include setting a stronger passwords.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s