Unless you have been living under a rock I’m sure you have heard of the Mirai botnet that was responsible for taking over thousands of IoT devices.
I spent a few hours checking out the code and to be honest it’s absolutely unreal how well this worked, considering it’s attack consists only of a brute force using this list:
root xc3511 root vizxv root admin admin admin root 888888 root xmhdipc root default root juantech root 123456 root 54321 support support root (none) admin password root root root 12345 user user admin (none) root pass admin admin1234 root 1111 admin smcadmin admin 1111 root 666666 root password root 1234 root klv123 Administrator admin service service supervisor supervisor guest guest guest 12345 guest 12345 admin1 password administrator 1234 666666 666666 888888 888888 ubnt ubnt root klv1234 root Zte521 root hi3518 root jvbzd root anko root zlxx. root 7ujMko0vizxv root 7ujMko0admin root system root ikwb root dreambox root user root realtek root 00000000 admin 1111111 admin 1234 admin 12345 admin 54321 admin 123456 admin 7ujMko0admin admin 1234 admin pass admin meinsm tech tech mother f**er [censored]
Additionally, I found it interesting that it had what is essentially an off-limits list.
0.0.0.0/8 - Invalid address space 188.8.131.52/8 - General Electric (GE) 184.108.40.206/7 - Hewlett-Packard (HP) 220.127.116.11/8 - US Postal Service 10.0.0.0/8 - Internal network 192.168.0.0/16 - Internal network 172.16.0.0/14 - Internal network 100.64.0.0/10 - IANA NAT reserved 169.254.0.0/16 - IANA NAT reserved 198.18.0.0/15 - IANA Special use 224.*.*.*+ - Multicast 18.104.22.168/7 - Department of Defense 22.214.171.124/8 - Department of Defense 126.96.36.199/8 - Department of Defense 188.8.131.52/8 - Department of Defense 184.108.40.206/8 - Department of Defense 220.127.116.11/7 - Department of Defense 18.104.22.168/8 - Department of Defense 22.214.171.124/8 - Department of Defense 126.96.36.199/8 - Department of Defense 188.8.131.52/7 - Department of Defense
At any rate, I thought it was fun to read through and see just how simple a piece of malware needs to be to create massive damage.
Oh, and here’s the source on Github: