05 Oct 16 16:48, you wrote to me:
>>> I switched to a different telnet port.. I've probably got maybe a week
>>> before the 'sniffers' find it <g>.
>> they shouldn't... at least not the bots... they're simply not designed
>> for that... generally speaking, all they do is go after the stuff on
>> default ports with default user names and passwords...
JK> Heh, that is true.. wasn't thinking of that ... I was thinking some
JK> evil sh_t in a devils costume running sniffer software <Just kidding>
JK> But you are absolute right.
a lot of us tend to think like that... that we're under specific targetting but
we're not... i know what you mean as i used to do the same thing way back...
until i got more and more into network security and had that epiphany that they
don't care and there's no time for them to sit and manually hack on systems...
maybe some special ones but they just let the scripts do most of that to find a
way in... once they're in, they tell the critter what to download and send
out... at that point it is nothing but a bot talking to a CnC...
>> in the case of MIRAI, it also looks o port 2323 because that's a
>> default port for some of the DVRs, cameras and othe IoT stuff they are
>> targetting... now that the source code has been released, this may
>> change...
JK> Glad I didn't use that port <g>
hahaha... it doesn't really hurt all that badly ;) ;) ;)
>> FWIW: MIRAI is not the only game in town hunting down IoT devices...
>> there is at least one other... MIRAI actually goes as far as killing
>> off other services in the device to prevent other infestations from
>> getting in... that also removes the admin GUI so if someone is going to
>> try to do something with their device and they can connect to it,
>> they'll turn it off and back on which dumps MIRAI from memory and the
>> device is clean for a few minutes until it gets scanned again and the
>> owner hasn't changed the default password...
JK> Insane crap you have to think of these days.
have you seen the source code, yet? i'm not convinced that this is the code to
the critter i've been tracking but it is apparently close... the one i've been
tracking does the MIRAI thing but newer code has been doing ECCHI... i've not
seen any ECCHI at all... the sources i have show ECCHI plus VDOSS... the last i
suspect is a clue to the vDOS DDOS for hire site that krebs wrote about...
maybe, maybe not... when the two young owners of vDOS were arrested and
questioned by the FBI, the MIRAI traffic fell off for a week or so...
one thing is obvious, though... whomever it is is into japanese culture or at
least anime... marai means "future"... toyota has a vehicle with this name that
they advertise as "the turning point"... this critter may very well be an
indicator of that unless the "Internet of Targets" industry pulls their heads
out of their nether regions and start with security first to which they then
add on other features of their devices... i mean, who imgaines their web cams,
DVR or even their TV as being part of a botnet and attacking others???
)\/(ark
Always Mount a Scratch Monkey
Do you manage your own servers? If you are not running an IDS/IPS yer doin' it
wrong...
... If you're gonna use taglines, at least write yer own! (c)
---
* Origin: (1:3634/12.73)
|
