An IoT botnet has been commandeered by white hats after its controllers used a weak username and password combination for its command-and-control server.
Ankit Anubhav, of Newsky Security, said researchers with the company were able to take over the MySQL server used to control the Owari botnet – thanks to its creator leaving port 3306 open and the username and password as root.
"Mirai botnet was designed to set up a MySQL server for the command and control containing three tables, namely users, history, and whitelist," explained Anubhav.
"While IoT botnets have evolved and many of them have different attack vectors, most of them still retain this tried and tested MySQL server structure, and Owari is no exception to this."
Ironically, Anubhav points out, both Mirai and Owari themselves are able to infect Internet-of-Things devices by brute-force guessing passwords and taking advantage of default credentials in the appliances. Apparently, that weakness extends to the botnet's command infrastructure as well.
New Mirai botnet species 'Okiru' hunts for ARC-based kitREAD MORE
As the MySQL server was left wide open, the researchers were able to take a peek into the inner workings of the army of hacked gadgets. Among other things, they noted, was that the Owari botnet maintained a list of customers who each had their own logins, allowing those who paid the owner to set up and run their own attacks for a predetermined amount of time.
Anubhav was also able to spot a history list, including a set of logs that indicated many of the DDoS attacks launched by the botnet were efforts to take out competing operators.
Sadly, Anubhav explains, getting access to the command and control server didn't bring about an immediate and swift end to the entire botnet.
"Sadly, it’s not such simple in case of most IoT botnets as these [command and control] related IPs already have a very low shelf life (on an average, a week)," the researcher writes
"Botnet operators are aware that their IPs will be flagged soon due to the bad network traffic. Hence to stay under the radar, they often voluntarily change attack IPs." ®