An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.
Security expert Ankit Anubhav from Newsky Security discovered an IoT botnet that was controlled by an architecture poorly configured, the botmaster used weak credentials for the authentication to the command-and-control server.
The researchers exploited week configuration to take over the MySQL server used to control the Owari botnet, the author left port 3306 open allowing the authentication with “root” as username and password.
“We observed few IPs attacking our honeypots with default credentials, with executing commands like /bin/busybox OWARI post successful login. In one of the cases, a payload hosted on 80(.)211(.)232(.)43 was attempted to be run post download.
When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.” reads the blog post published by Ankit Anubhav.
“We tried to investigate more into this IP. To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind.
The situation is paradoxical considering that Mirai-based botnets, including Owari, spread through Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials.
Database investigation conducted by the experts allowed the expert to discover a User table that contains login credentials for various users who will control the botnet. Some entries could be associated with botmasters or customers of the botnet
“User table contains login credentials for various users who will control the botnet. Some of them can be botnet creators, or some can simply be the customers of the botnet, a.k.a black box users, who pay a sum of money to launch DDoS attacks. Besides credentials, duration limit such as for how much time the user can perform the DDoS, maximum available bots for attack (-1 means the entire botnet army of the bot master is available) and cooldown time (time interval between the two attack commands) can also be observed.” continues the expert.
“In the specific Owari case, we observe one user with duration limit of 3600 seconds with permissible bot usage set as -1(maximum). It is to be noted that the credentials of all these botnet users are also weak.”
The expert also discovered a history table containing information on the DDoS attacks carried out against various targets. Some of the IP addresses targeted by the botnet were associated with rival IoT botnets.
Anubhav also investigated the revenue model behind the Owari botnet, he was able to reach a known Owari operator that goes online as “Scarface” that provided the following comment:
“For 60$ / month, I usually offer around 600 seconds of boot time, which is low compared to what other people offer. However, it is the only way I can guarantee a stable bot count.” explained Scarface.
“I can’t allow having 10+ people doing concurrent attacks of 1800 seconds each. Usually there is no cooldown on my spots. If I decide to give the cooldown, it’s about 60 seconds or less. 60$/month is not much but when you get 10–15 costumers per month it is enough to cover most of my virtual expenses”
Is this the end for the Owari botnet?
Of course no, even if the expert has taken over the MySQL database, botnet operators continuously change attack IPs to remain under the radar even when the malicious traffic associated to some of their IPs is detected.
The IPs reported in the analysis of the expert are already offline.
(Security Affairs – Owari botnet, cybercrime)