Hello, welcome to the Tuesday, May 9th, 2017 edition of the Sandsenert Storms,

and I'm a stormcast. My name is Johannes Ulrich. And today I'm recording from Jacksonville, Florida.

We got an interesting post today from Renato of Morphus Labs, who is writing about his investigation

into a P2P botnet. This botnet, which was mostly comprised

of Unify routers and Raspberry Pis, among a number of other Linux systems like that,

did use a P2P system to communicate with each other, which enabled Renato to actually look

into the size of the botnet by just polling notes that connected to him for their neighbor list,

and then essentially just ask those neighbors for their neighbor list, which resulted in about

5,000 different infected systems by this particular botnet.

Interesting write-up about the command control infrastructure of this botnet.

The use of Zell certificates in certain cases for authentication is also kind of interesting. He also lists a number of

indicators of compromise that you can use to find infected systems in your network. Now, the

main infection vector here appears to be weak passwords, just like that. So often before, I mentioned Unify. The Unify routers often are

configured with a default UBNT account and password. Then there is also Raspberry Pis. Now, in the

past, Raspberry Pi's came with SSH enabled and the default password of Raspberry.

More recent versions of the Raspian operating system actually no longer enable SSH by default.

You have to specifically enable it after you create the SD card.

But typically these botnets aren't very picky.

They take any Linux system or Unixish system they can find in this case, as we have

seen before, the binary that's being uploaded, comes in various versions for different

architectures.

And if you downloaded Handbrake, the popular video conversion

...