[Cryptography] Anyone else seeing an uptick in infected IoT devices? New botnet?
Hanno Böck
hanno at hboeck.de
Wed Dec 7 13:13:43 EST 2016
Several people have already pointed out mirai, but to give a bit more
context: There is a SOAP script injection vuln that affects a lot of
routers/modems, this one:
https://devicereversing.wordpress.com/2016/11/07/eirs-d1000-modem-is-wide-open-to-being-hacked/
(The description is for one specific brand, but it seems it affects a
variety of devices)
And there's currently a mirai variant that uses this bug to infect
devices.
You can observe this botnet pretty easily: Just let netcat listen on
port 7547 and you'll see an attack payload pretty quickly.
It was first thought that the telekom outage was because the routers
were part of that botnet. However it turned out they were not, but they
had another bug that let their network stack malfunction if lots of
connections arrive on port 7547. So the telekom outage was kinda a
sideeffect of that botnet activity.
--
Hanno Böck
https://hboeck.de/
mail/jabber: hanno at hboeck.de
GPG: FE73757FA60E4E21B937579FA5880072BBB51E42
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161207/7f6ee3c8/attachment.sig>
More information about the cryptography
mailing list