05 Oct 16 16:48, you wrote to me:   
      
    >>> I switched to a different telnet port.. I've probably got maybe a week   
    >>> before the 'sniffers' find it .   
      
    >> they shouldn't... at least not the bots... they're simply not designed   
    >> for that... generally speaking, all they do is go after the stuff on   
    >> default ports with default user names and passwords...   
      
    JK> Heh, that is true.. wasn't thinking of that ... I was thinking some   
    JK> evil sh_t in a devils costume running sniffer software    
    JK> But you are absolute right.   
      
   a lot of us tend to think like that... that we're under specific targetting   
   but we're not... i know what you mean as i used to do the same thing way   
   back... until i got more and more into network security and had that epiphany   
   that they don't care and there's no time for them to sit and manually hack on   
   systems... maybe some special ones but they just let the scripts do most of   
   that to find a way in... once they're in, they tell the critter what to   
   download and send out... at that point it is nothing but a bot talking to a   
   CnC...   
      
    >> in the case of MIRAI, it also looks o port 2323 because that's a   
    >> default port for some of the DVRs, cameras and othe IoT stuff they are   
    >> targetting... now that the source code has been released, this may   
    >> change...   
      
    JK> Glad I didn't use that port    
      
   hahaha... it doesn't really hurt all that badly ;) ;) ;)   
      
    >> FWIW: MIRAI is not the only game in town hunting down IoT devices...   
    >> there is at least one other... MIRAI actually goes as far as killing   
    >> off other services in the device to prevent other infestations from   
    >> getting in... that also removes the admin GUI so if someone is going to   
    >> try to do something with their device and they can connect to it,   
    >> they'll turn it off and back on which dumps MIRAI from memory and the   
    >> device is clean for a few minutes until it gets scanned again and the   
    >> owner hasn't changed the default password...   
      
    JK> Insane crap you have to think of these days.   
      
   have you seen the source code, yet? i'm not convinced that this is the code to   
   the critter i've been tracking but it is apparently close... the one i've been   
   tracking does the MIRAI thing but newer code has been doing ECCHI... i've not   
   seen any ECCHI at all... the sources i have show ECCHI plus VDOSS... the last   
   i suspect is a clue to the vDOS DDOS for hire site that krebs wrote about...   
   maybe, maybe not... when the two young owners of vDOS were arrested and   
   questioned by the FBI, the MIRAI traffic fell off for a week or so...   
      
   one thing is obvious, though... whomever it is is into japanese culture or at   
   least anime... marai means "future"... toyota has a vehicle with this name   
   that they advertise as "the turning point"... this critter may very well be an   
   indicator of that unless the "Internet of Targets" industry pulls their heads   
   out of their nether regions and start with security first to which they then   
   add on other features of their devices... i mean, who imgaines their web cams,   
   DVR or even their TV as being part of a botnet and attacking others???   
      
   )\/(ark   
      
   Always Mount a Scratch Monkey   
   Do you manage your own servers? If you are not running an IDS/IPS yer doin' it   
   wrong...   
   ... If you're gonna use taglines, at least write yer own! (c)   
   ---   
    * Origin:  (1:3634/12.73)