Boffin's anti-worm bot could silence epic Mirai DDoS attack army

A GitHub user going by Leo Linsky has forked a repo created by researcher Jerry Gamblin to create an anti-worm "nematode" that could help to patch vulnerable devices used in the massive Mirai distributed denial of service attack.

The nematode, a concept detailed by security man Dave Aitel [PDF], would fight back against the massive and highly dangerous inter-of-things-borne botnet used in highly disruptive attacks against major web infrastructure including DNS provider Dyn.

Some 100,000 Telnet-exposed-and-web-connected cameras, sensors and other devices are held to have downed Dyn.

Researcher Scott Tenaglia Friday found a stack buffer overflow vulnerability in the Mirai code which could be used to crash bots and shut down Mirai attacks.

The worm goes further and can be used to break into woefully insecure internet-of-things devices and change the default Telnet credentials within.

Doing so would lock Mirai and other malware users out of the devices, along with legitimate administrators.

"This is a purely academic research project intended to show a proof of concept anti-worm worm, or nematode, for the types of vulnerabilities exploited by Mirai," Linsky says.

"The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device- specific or random.

"Such a tool could theoretically be used to reduce the attack surface."

Linsky says it is only for closed research environments and warns users to test at their own risk.

Unleashing the nematode would breach computer crime laws in the US, UK, and Australia, and likely in many other countries where unauthorised use and modification of computer equipment is an offense.

It is not the first nematode. Researchers in 2004 unleashed the Welchia worm to combat the damage wrought from the Blaster worm, by breaking into infected devices and downloading and installing Microsoft patches before self-deleting.

A nematode was used in the same year to patch phpBB installations to counter the Santy malware.

These nematodes are not without problems. The Welchia worm caused headaches for IT managers while any anti-Mirai worm could disrupt inexperienced users who would be locked out of remote device access. ®