The Owari DDoS botnet, built by knocking over weakly-secured Internet of Things (IoT) devices, has had a bad week.
The disruption of a botnet is always cause for celebration but it’s the reason behind Owari’s hiccup that might linger longer in the memory.
According to the NewSky Security researchers who compromised it, the botnet’s command and control server was secured with credentials so weak most admins will find themselves doing a double take.
When we investigated the IP, we observed that port 3306, the default port for MySQL database, was open.
Trying their luck, they discovered:
To our surprise, it is connected to the attacker’s servers using one of the weakest credentials known to mankind – Username: root, Password: root.
No brute forcing required, then, but there were other discoveries too, including a table of botnet customers who seemed to have been given similarly weak credentials including “sin/sin”, “packet/packet”, and “logi”/f***”.
Most of the IPs attacked by the botnet appeared to have been rival botnets.
The researchers also discovered a second MySQL database on another IP, also secured using “root/root”.
Were the weak credentials an oversight or simple incompetence?
Given that command and control IPs have a short lifespan, it’s possible they simply didn’t see the point in wasting time on security:
Botnet operators are aware that their IPs will be flagged soon due to the bad network traffic. Hence to stay under the radar, they often voluntarily change attack IPs.
If that’s the case, while Owari might have taken a hit, it is unlikely to be gone forever. Short of remediating every compromised IP, all the botnet operators have to do is set up elsewhere and they’re good to go again.