Developer Pulls Anti-Mirai IoT Worm After Backlash

ENISA botnet report, Mirai

The ‘anti-worm worm’ was intended as a proof of concept, but experts warned of further security risk

A software engineer has published the source code for an experimental “anti-worm” intended as a possible remedy for insecure connected devices, such as those that helped power a widely disruptive denial-of-service attack earlier this month.

Leo Linsky based his “anti-worm worm (or nematode)” on the source code of Mirai (Japanese for “future”), a botnet control system whose developer recently made it public.

Hacker, programmer, code, laptop © SP-Photo, Shutterstock 2014

IoT issue

Security researchers have warned for years of the dangers posed by connected gadgets such as set-top boxes and webcams, but the issue reached a new level of public attention earlier this month following an attack on DNS service provider Dyn.

The massive distributed denial-of-service attack, which temporarily cut off access to sites such as Amazon, Twitter, Reddit and Spotify, was in part fuelled by a Mirai botnet drawing on thousands of such devices.

The devices in question were easily hacked because they were configured using default access credentials, meaning anyone who knew the default settings could log in and take control.

The problem is difficult to address, since billions of such devices are already in use, often by individuals with little awareness of online security issues.

Linsky said the code was intended as a proof-of-concept to show that a worm could be one way of approaching the problem.

Proof of concept

“The idea is to show that devices can be patched by a worm that deletes itself after changing the password to something device-specific or random,” he wrote on the project’s page on the GitHub code repository. “Such a tool could theoretically be used to reduce the attack surface.”

However, he warned that the code was intended only to be “tested in closed research environments” and should be used at developers’ “own risk”, and quickly pulled the code following criticism from security experts.

As of Tuesday morning the code was no longer available on Linsky’s GitHub page. Linsky did not immediately respond to a request for comment.

Technical challenges

Discussion boards commenting on the code noted that deploying such a worm would go against computer security laws in a number of countries, including that of the UK.

A security researcher said that legal issues aside, the use of such an automated tool is impractical as its actions are outside the user’s control.

“Anyone releasing the ‘anti-worm worm’ has no control over how it would spread, or the resources it might gobble up as it scours the Internet looking for more vulnerable devices to patch,” said researcher Graham Cluley in a blog post.

It would be difficult for such a program to distinguish legitimate targets from critical systems that shouldn’t be tampered with or honeypots set up by researchers to attract malware, while hackers might also use the worm’s code to develop their own malicious tools, he said.

Are you a security pro? Try our quiz!