Monday, November 7, 2016

How to fix millions of vulnerable IoT devices used it the Miari DDoS attacks.

How to fix millions of vulnerable IoT devices used it the Miari DDoS attacks.

15 years ago I received the call from my friend Don Jensen. He was the head IT guy for Granite Construction, Heavy Construction division. He had four remote sites infected with the Nimda worm. 

Wikipedia sums it up here:

"Nimda is a file infecting computer worm. It quickly spread, surpassing the economic damage caused by previous outbreaks such as Code Red. Nimda utilized several types of propagation techniques and this caused it to become the Internet’s most widespread virus/worm within 22 minutes.

The worm was released on September 18, 2001. Nimda affected both user workstations (clients) running Windows 95, 98, NT, 2000 or XP and servers running Windows NT and 2000. 

The worm exploited various Microsoft IIS 4.0 / 5.0 directory traversal vulnerabilities. Nimda were hugely successful exploiting well known and long solved vulnerabilities in the Microsoft IIS server."

It was affecting all of the telephone service at the remote sites (Las Vegas, Minneapolis, Dallas, and Tampa). The phone systems were running Cisco Communication Center on top of Windows 2000 server. Microsoft Internet Information Server administration GUI was the admin control console.

What a mess. I was at my home in California, and traveling to each remote site was not possible.

This HAD to repair remotely, so I started to investigate what made Nimda tick, and found a solution. (This advisory from CERT was really helpful.)

I used it against itself. I "hacked" each of the Windows servers using the exact same security hole that made Nimda possible: I opened a browser window, plugged in the IP address of the infected server, and began typing commands, starting with "CMD.EXE".

After the massive DDoS atack in October 2016, I started to think about how to remotely patch the millions of video cameras, DVR's, and doorbells that were being compromised by Mirai and downloaded the source code. I think this just might work, but it may not be legal to remotely patch and upgrade all the IoT devices in the world. 

1 comment:

James Dillon said...

Most non-PC devices such routers, modems, cellular modems, digital video recorders and IoT sensors are almost perfect weapons for attackers – they don’t typically run antivirus software; they don’t get updated regularly or can’t be updated; and they are often left switched on 24-hours a day.
Even if IoT devices are deployed with security in mind, checking the hundreds or even thousands of individual devices used in a factory or office environment control system is a daunting task