This story is over 5 years old.


How Vigilante Hackers Could Stop the Internet of Things Botnet

Could do-gooder hackers take over the Mirai botnet and make it unhackable for criminals?
Image: Sophos Presseinfo/Flickr

In the last few weeks, the internet has witnessed some of the worst cyberattacks ever.

All these attacks have been powered by a zombie army, or botnet, of easy-to-hack internet-connected devices such as cameras and DVRs, infected with an amateurish but extremely effective malware called Mirai.

On Friday, this string of attacks culminated with three different assaults on a company that provides web services for giants such as Twitter, Netflix and Spotify. The attacks, commonly known as distributed denial of service, or DDoS attacks, took those sites intermittently offline throughout the day.


The worst part of this story is that no one really knows exactly how to stop something like this from happening again.

Some have put forth a perhaps desperate—and certainly illegal—solution: Have white-hat vigilante hackers take over the insecure Internet of Things that the Mirai malware targets and take them away from the criminals.

Read more: We Need to Save the Internet from the Internet of Things

Several hackers and security researchers agree that taking over the zombies in the Mirai botnet would be relatively easy. After all, if the "bad guys" Mirai can do it, a "good guys" Mirai—perhaps even controlled by the FBI—could do the same.

The biggest technical hurdle to this plan, as F-Secure chief research officer Mikko Hypponen put it, is that once it infects a device, Mirai "closes the barn door behind it." Mirai spreads by scanning the internet for devices that have the old-fashioned remote access telnet protocol enabled and have easy to guess passwords such as "123456" or "passwords." Then, once it infects them, it disables telnet access, theoretically stopping others from doing the same.

No one really knows exactly how to stop something like this from happening again.

The good news is that the code that controls this function actually doesn't at times work very well, according to Darren Martyn, a security researcher who has been analyzing the malware and who said he's seen some infected devices that still have telnet enabled and thus can be hacked again. Also, Mirai disappears once an infected device is rebooted, which likely happens often as owners of infected cameras and DVRs try to fix their devices that suddenly have their bandwidth saturated.


The bad news is that the Mirai spreads so fast that a rebooted, clean, device gets re-infected in five minutes, according to the estimates of researchers who've been tracking the botnets. So a vigilante hacker has a small window before the bad guys come back.

The other problem is what a do-gooder hacker could do once they took over the botnet.

The options are: brick the devices, making them completely unusable; change the default passwords, locking out even their legitimate owners; or try to fix their firmware to make them more resistant to future hack attempts, and also still perfectly functioning.

The third is the ideal one, but given that the Mirai botnets are comprised of several disparate devices, made by several different companies, it'd be extremely hard to push an update that works for all of them, according to security researchers.

"I suspect a perfect white-hat fixer-upper virus is unfeasible," Emin Gun Sirer, a professor at Cornell University, told me.

The real challenge of this whole scenario, however, is that despite being for good, this is still illegal.

"No one has any real motivation to do so. Anyone with the desire to do so, is probably afraid of the potential jail time. Anyone not afraid of the potential jail time…can think of better uses for the devices," Martyn told Motherboard, referring to criminals who can monetize the Mirai botnet.

"I suspect a perfect white-hat fixer-upper virus is unfeasible."


Yet, this all sounds like a far-fetched scenario, it wouldn't be the the first time hackers broke the law and hacked thousands of strangers' computers to do good. Last year, a mysterious group of hackers calling themselves The White Team broke into more than 10,000 home routers to clean them from malware infections and encourage users to change the device default passwords and update their firmware. The White Team's "malware," so to speak, is still going around today.

"We have no intent of damaging your device or harm your privacy in any way," the hackers wrote in their message to their victims.

In the early 2000s, someone developed a self-propagating virus, a worm known as Welchia, that was programmed to find computers infected by another worm, and remove it. Despite its good intentions, it caused more trouble than it prevented.

So far, apparently no vigilante hacker has tried to fight the criminals who control Mirai, but given the historical precedents, that doesn't mean no one will try.

"Now that the genie is out of the bottle," Gun Sirer said, "More are sure to come."

Get six of our favorite Motherboard stories every day by signing up for our newsletter.