Research Saturday 1.19.19
Ep 69 | 1.19.19

Luring IoT botnets to the honeypot.


Dave Bittner: [00:00:03] Hello everyone, and welcome to the CyberWire's Research Saturday presented by Juniper Networks. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:22] And now a quick word about our sponsor, Juniper Networks. They're empowering you to automate your security, see your networks, and protect your clouds. Juniper Networks has you covered, so your security teams can finally get back to fortifying your security posture. Learn more at, or connect with Juniper on Twitter or Facebook. That's And we thank Juniper for making it possible to bring you Research Saturday.

Dave Bittner: [00:00:59] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data - all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Matt Bing: [00:01:39] This really all started about two years ago now.

Dave Bittner: [00:01:41] That's Matt Bing. He's a security research analyst with NETSCOUT's ASERT team. The research we're discussing today is titled, "Dipping Into The Honeypot."

Matt Bing: [00:01:49] In late 2016, with this botnet called Mirai - and Mirai is a Japanese word that means "the future," and in many ways we're living in that future right now - what caught everybody's attention in 2016 was that the Mirai botnet was responsible for these really big DDoS attacks. In particular, attacks against DYN that brought down several of the DNS services for several major organizations.

Matt Bing: [00:02:15] And what made Mirai really unique - besides the DDoS firepower behind it - was that it targeted these Internet of Things, or IoT, devices. Basically, these small, underpowered computers that people used for things like video camera recorders. Essentially, what they are is, really, just these small, underpowered Linux boxes that are really good at being on the network and being able to generate network traffic, which makes them ideal for using them for DDoS.

Matt Bing: [00:02:43] But what made Mirai unique was that the way that it spread itself - the way it propagated to other IoT devices - was via brute-forcing these telnet usernames and passwords. So, telnet is, like, a very sort of antiquated remote administration tool. Sort of like SSH, but unencrypted. But it's not the fact that it's unencrypted that made IoT targets particularly attractive to Mirai - it's that these IoT devices sometimes will have hard-coded usernames and passwords set by the manufacturer, that would allow anybody that knows that username and password to be able to essentially get a UNIX shell.

Matt Bing: [00:03:22] So, what Mirai did, is basically just scan the Internet for these IoT devices that had telnet listening, and it had a list of sixty usernames and passwords, that if it found an open telnet service, it would go through these sixty usernames and passwords, try to log in, and if it's successful, it would download a copy of the Mirai binary, execute it, and then that device would essentially be conscripted in the botnet. And the botnet itself would check in with a command-and-control, and the command-and-control would tell it to, you know, launch a DDoS attack against this particular IP address, or whatever, and all the bots would simultaneously start attacking whatever the target was.

Matt Bing: [00:04:03] So, the research here that we were really interested in is since Mirai really hit the scene in 2016, and perhaps more importantly, the threat actors behind Mirai released the source code to Mirai, so basically anybody that had a modicum of technical skill could very easily build their own Mirai-like botnet.

Matt Bing: [00:04:24] And that's kind of what we've seen a lot in the past two years as these IoT bots sort of evolved, is that the threat actors are adding more and more usernames and passwords to different types of IoT devices - to their bots - to be more successful in propagating. And they're also sort of shifting tactics a bit. So, instead of just using telnet brute-forcing, they will also use exploits. So, for instance, if there a vulnerability in, like, the web management interface of a particular IoT device, we've seen several variants of Mirai that will leverage that exploit in order to propagate.

Matt Bing: [00:05:02] So, this research here was really kind of born out of the fact that, if you have a listener out there that is just accepting connections from anybody via this telnet protocol, you can record what usernames and passwords that the bots are attempting to try. So, by having this network of honeypots that's around the world - just so we don't have any biases for location - we were able to sort of see what trends emerge, and what username and password combinations that these bots are actually trying to use.

Dave Bittner: [00:05:33] Let's dig into some basics here before we get into the details. I guess I should start by asking you to just describe, for those who may not know, what exactly is a honeypot, and how do you use it?

Matt Bing: [00:05:44] Sure. So, a honeypot is basically what we call a "deception framework." So, in other words, it's some code or program that makes a particular device appear to be vulnerable, when in fact it's not. So, for instance, our honeypots will appear to be a particular type of IoT device, and it will present a telnet prompt just like a normal IoT device would. If you guess the right username and password, sometimes it will even let you log in with what is essentially a fake shell to record the commands that are being sent. But of course, we're not actually running those commands, we're just appearing to run those commands. So, from an attacker perspective, there should be no way for them to tell the difference between an actual IoT device and our honeypot.

Dave Bittner: [00:06:31] So this way you're sort of gathering the tradecraft of the bad guys by making them think they're getting into a device when they actually aren't.

Matt Bing: [00:06:40] Exactly. Exactly. And for these bots in particular, these are automated programs that are trying to brute force these telnet usernames and passwords. In other words, it's not somebody behind a keyboard, necessarily - it's a bot code that is actually trying to do the exploiting here.

Dave Bittner: [00:06:56] So, let's dig into some of the details here. Can you take us through what exactly were you doing with these honeypots, and what did you learn?

Matt Bing: [00:07:03] Sure. So, by recording all these usernames and passwords that the bots are trying to use, really, what we wanted to do is see how far along we've come since Mirai first hit the scene in 2016. So, I mentioned that the original Mirai had a list of sixty usernames and password combinations that it would try to use to propagate. Well, just in September of this year, we found 1,065 unique combinations of usernames and passwords that were attempting to log into our honeypot.

Matt Bing: [00:07:34] Which is really interesting, because that means that the threat actors have taken the Mirai source code - you know, the original one that was released in 2016 - and they're adding to it. They're trying to be more successful than their competitors. Because, say, for instance, we're both botnet operators, and I happen to know a particular username and password that's used by one particular type of IoT device. I can infect those devices, while if you don't know the username and password, you might not. So it's sort of an evolutionary race between these bots to get the most bots in their botnet.

Dave Bittner: [00:08:06] Hmm. We mentioned earlier that these usernames and passwords are often hard-coded into these devices. Does that mean that they can't be changed? In other words, if I'm the first bad guy to an IoT device, and I get access to it, if another bad guy comes along, can they boot me out? Is it that your last person there gets to take advantage of it? Is there - if I get in first, is there a way to keep other people from getting in behind me, I guess is what I'm getting at.

Matt Bing: [00:08:35] No, absolutely. And that's actually one of the first things some of these bots do if they successfully hack an IoT device, is they'll try to kill any other bots that might be running. But a lot of times we don't necessarily see them try to change the default password, but sometimes they will, like, kill the telnet service so that it's not accessible by anybody else. So, while their bot is running, you know, no other bots can come in and try to kill them. So, yeah, it very much is a push-and-pull between the threat actors here.

Dave Bittner: [00:09:04] Now, what are you seeing in terms of where these are originating? Are there some usual suspects around the world?

Matt Bing: [00:09:11] No, absolutely. So, the top five countries that we saw originate this activity from, in September, was Russia, China, Brazil, the United States, and South Korea.

Dave Bittner: [00:09:23] And so what does that tell you? What can you draw from that?

Matt Bing: [00:09:27] We kind of extrapolate from that, but what we can tell from that is that those countries happen to have more vulnerable IoT devices that are accessible on the open Internet. So, we took that assumption, and we tried to figure out if we could tell what particular devices might be more popular in which country, just based on the username and password combination that they try.

Matt Bing: [00:09:50] So, if I'm bitten by a zombie and turn into a zombie, the chances are that the zombie that bit me was also bitten by another zombie at an earlier time. So, in other words, if there's a particular bot that targets IoT devices that might be more popular in a certain country, we would assume that we would see more particular username and password combinations coming from that country. So, this is sort of the research that we try to go into.

Matt Bing: [00:10:17] And sure enough, we did see some pretty interesting trends that we highlight in the blog. For instance, a really obvious one is that we see the default username and password for some Huawei devices - we saw sources from China attempting to use that combination more often than from other countries. And of course, Huawei being a Chinese company, we would expect to see more of those devices in China than we would in another country.

Dave Bittner: [00:10:42] Let's talk about some of the anomalous results that you got here. There was one that that caught my eye - and I'm going to tread lightly here, because it's a family show - but there was one that you mentioned from Iran, and the username was "mother" and the password was a word that begins with "F" and rhymes with "trucker." And this was a highly ranked username and password combination, and I guess that caught my eye because that doesn't strike me as the kind of thing that a manufacturer would use as a default username and password.

Matt Bing: [00:11:15] No, no, and that was pretty interesting, because the combinations that we saw from Iran - there was a whole five of them in a row that were sort of anomalous, like, "admin1" and "password," the one you mentioned...

Dave Bittner: [00:11:27] Yeah.

Matt Bing: [00:11:26] ...And "54321." And the answer is, I don't really know what the cause of that was, but we were speculating that it could have been one particular type of bot that was more popular in Iran. But you're right that those those usernames and passwords probably aren't being put in there by the manufacturer. But these bots are pretty aggressive, so in addition to trying, like, the backdoor usernames and passwords they'll also try some pretty common ones like that like admin. Five four three two one for instance.

Dave Bittner: [00:11:55] I see. So they're just using what are well-known popular combinations, because why not?

Matt Bing: [00:12:01] Yeah, exactly. It doesn't cost them anything to add a couple more usernames and passwords to their lists.

Dave Bittner: [00:12:07] So, based on this research, what are your recommendations for folks? What what did you learn from this? What are the lessons that people can take from this?

Matt Bing: [00:12:15] Well, I think it mostly comes down to the fact that these IoT devices are out there on the open Internet. And what I mean by that is, these IoT devices that are being infected with bots - anybody can connect to them via a public IP address. Meaning that there's no firewall, or there's no home router that is protecting these devices from what is kind of the background traffic of the Internet. So, for the home user, I think the biggest piece of advice we can give is make sure that these IoT devices are put behind a firewall or a home router, or some network filtering device, that doesn't leave them just out on the open Internet unprotected.

Dave Bittner: [00:12:55] Now, what about for enterprise users? If I've got security cameras in my organization, are there some basic steps I should be taking to isolate those?

Matt Bing: [00:13:03] Sure, yeah. It's essentially the same sort of thing. Make sure that any sort of administrative interface - whether it's via telnet or a web-based administrative interface - is not accessible publicly. Make sure that it's restricted to only the subnets that you would want to manage them from, is probably the best piece of advice. And of course, keep your software up-to-date, for those IoT devices that support software updates. Make sure that you keep those installed.

Dave Bittner: [00:13:30] Yeah, it's an interesting dilemma, because I know - we see, for example, that California is pushing ahead with legislation that will make it so that you have to basically change a password, you know, the first thing you have to do when you interact with a new device is give it a new username and password, to kind of try to get people away from these default usernames and passwords. But at the same time, there are thousands, hundreds of thousands, maybe even millions of these devices that are out there, and they're not going anywhere anytime soon.

Matt Bing: [00:14:01] No, absolutely. Even if we fixed all IoT security problems right now, there would still be millions of devices sitting on store shelves that have not been properly secured. It's really easy to sort of blame the vendor here, and they have their own issues too. I mean, a lot of these IoT devices are cobbled together from pieces from different hardware vendors, and sometimes even different software vendors. So, it's a really sort of complicated ecosystem, and I honestly don't think that they expected to have this many devices be available on the public Internet. And I think that's sort of the core of the problem here.

Dave Bittner: [00:14:38] Do you see any patterns in terms of, you know, if I go with a well-known brand of a device, am I more likely to have better security from the get-go or, you know, the cheaper brands, you know, something I buy for the lowest price on Amazon, is that likely to be less secure? Is there any alignment there, or is it sort of hit-or-miss across the whole spectrum?

Matt Bing: [00:15:00] Yeah, I would say it's a hit-or-miss across the whole spectrum. I mean, some of these vendors are pretty big vendors that you would expect to sort of have their ducks in a row, and they don't.

Dave Bittner: [00:15:11] Yeah, it's interesting, because I've seen even some of these big names, when you dig into what's underneath the hood, it's actually a rebranding of some hardware or software that's being used in many, many different devices that are just being - you know, different organizations are just slapping their name on the device, but they're all coming out of the same factory.

Matt Bing: [00:15:31] Yeah, exactly. We see a lot of that, between reuse of hardware and reuse of software. And I think one other aspect that kind of gets lost here is that, if your IoT device is hacked and it's participating in a botnet like Mirai, like, it's not really visible to the end user. With attacks like ransomware, you know, that encrypt your files and send a big flashing warning telling you to send Bitcoin, you can easily tell that, you know, okay, I have a problem here. But if your IoT device gets hacked - say your webcam gets hacked - there's really no indication to the end user that something is wrong.

Dave Bittner: [00:16:05] Right, it's still functioning as a webcam. It's doing the job that you bought it to do.

Matt Bing: [00:16:09] Exactly. And it might not have these sort of security features to even tell you if there's a problem.

Dave Bittner: [00:16:15] Where do you suppose we're headed with this? What sort of changes do you suppose need to be made for us to be able to get a better handle on these problems?

Matt Bing: [00:16:23] I think, in a very real sense, the IoT security landscape is where the regular IT landscape was in the 1990s. Now, back in the '90s, some of the attacks that were successful were these default usernames and passwords, were these really simple vulnerabilities in, like, web code. And I think we're - with impending legislation, like you said, from California, and then this very real attention to this - I think we're going to get better over time. To me, the real bellwether will be when we start seeing, like, memory corruption attacks being used to attack IoT devices. I think that'll be a sign that things are getting better.

Matt Bing: [00:17:02] And what I mean by that is, like, memory corruption attacks, like buffer overflows - those are sort of tricky to exploit. They're very dependent on, like, the type of CPU that's in the device. And I think when we start to see those memory corruption attacks - which I think we will - I think that'll be a sign that things are getting better. Because there's really nothing specific about IoT, I think, that makes it attractive to these attackers. The attackers we're seeing really just want an army of bots to launch DDoS attacks. The fact that they're IoT might help them a bit, for reasons I said earlier about not having many security features. But really I think they're pretty agnostic as to what their victims are. So, if the IoT security landscape does get better, I think maybe attackers might start to focus on the other low-hanging fruit, whatever that may be at the time.

Dave Bittner: [00:17:54] Our thanks to Matt Bing from NETSCOUT for joining us. The research is titled, "Dipping Into The Honeypot." You can find it on the website of NETSCOUT's ASERT team. We'll have a link in the show notes.

Dave Bittner: [00:18:06] Thanks to Juniper Networks for sponsoring our show. You can learn more at, or connect with them on Twitter or Facebook.

Dave Bittner: [00:18:16] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:18:24] The CyberWire Research Saturday is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben. Editor is John Petrik. Technical editor is Chris Russell. Executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening.