Two reports this week from security vendors emphasize the need for administrators to change default passwords on all devices in their environments or risk them being turned into arms of a botnet.
First, Sophos says a new distributed denial of service (DDoS) botnet has been formed by targeting Internet-facing SSH servers for remote access on Linux-based systems.
Also this week Netscout released an interesting analysis of passwords used for brute force attacks found in varieties of the Murai botnet which may offer threat analysists interesting clues (see below).
The new botnet has been dubbed Chalubo by Sophos because it encrypts both the main bot component and its corresponding Lua script using the ChaCha stream cipher. “This adoption of anti-analysis techniques demonstrates an evolution in Linux malware,” says Sophos, “as the authors have adopted principles more common to Windows malware in an effort to thwart detection. Like some of its predecessors, Chalubo incorporates code from the Xor.DDoS and Mirai malware families.”
When Chalubo downloaders started circulating in late August, the attacker issued commands on the victim’s device to retrieve the malware. It had three components: A downloader; the main bot (which initially ran only on systems with an x86 processor architecture); and the Lua command script. As of mid October, the attacker had been issuing commands that retrieve the Elknot dropper (detected as Linux/DDoS-AZ), which in turn delivers the rest of the Chalubo package.
There are now a variety of Chalubo versions that run on different processor architectures, including both 32- and 64-bit ARM, x86, x86_64, MIPS, MIPSEL, and PowerPC.
Because Chalubo infects systems by leveraging common username and password combinations against SSH servers, Sophos urges sysadmins of SSH servers (including embedded devices) change any default passwords on those devices, because the brute force attempts to cycle through common, publicly known default passwords. If possible, it’s preferable to use SSH keys instead of passwords for logins.
The Netscout report looks at the password/username combinations that are included in botnet code and used in brute force attacks on devices. When a device is compromised it gets used to help spread the attack to others.
Using the factory-installed usernames and passwords that come with Internet of Things devices — anything from surveillance cameras to industrial controllers — is a “winning strategy” for botnet creators, says the report. For example, among the top five combinations are admin/admin and guest/12345. “Botnet operators with the best list will produce the larger botnet and obtain superior firepower for launching DDoS attacks,” the report says.
Botnets randomly choose an IP address to attack and work through their list of usernames and passwords until either giving up or infecting the targeted device. But there are regional patterns, says Netscout, after analyzing data collected in September from botnets that contacted its honeypot. These patterns suggest devices that are common in one country are more likely to be successfully attacked than others if their default password is on the botnet list and hasn’t been changed. That might suggest to admins which devices are most vulnerable.
For example, an unusual username/password combination seen in a botnet coming from Russia is root/20080826. That’s the seventh most common combination seen there, although world-wide it was the 91st. Whatever device uses that combination is very vulnerable, and more common in Russia than the rest of the world.
Similarly, in a botnet coming from Canada, an unusual combination is root/xmhdipc. That’s the ninth most common combo on that botnet’s list but only 30th in the world. Again that suggests there are a lot of devices here using that combination of default username/password. An internet search suggests it’s a home or office surveillance camera.
In an interview Netscout security research analyst Matthew Bing noted that botnet builders are always adding to their username/password lists. The Murai botnet originally came with a list of 1,065 combinations. Just over 1,000 username/password combos have been added. Attackers who re-use the Murai code have their own lists.
Having the administrator interface of IoT devices accessable to the open Internet instead of being protected by a firewall or home router is still a big problem, he said, in addition to not changing default passwords where possible.
