For the past few weeks, a threat actor who goes online by the name of "Subby" has taken over the IoT DDoS botnets of 29 other hackers, ZDNet has learned.

The hacker exploited the fact that some botnet operators had used weak or default credentials to secure the backend panels of their command and control (C&C) servers.

In an interview today, Subby said he used a dictionary of usernames and a list of common passwords to brute-force his way into the C&C infrastructure of these 29 botnets --some of which were using very weak user:password combos, such as "root:root", "admin:admin", and "oof:oof".

Image: Ankit Anubhav (supplied)

Botnets built by "skidz"

"It's obvious as to why this is happening," Subby said in an interview conducted by Ankit Anubhav, a security researcher at NewSky Security and shared with ZDNet.

"A large percentage of botnet operators are simply following tutorials which have spread around in the community or are accessible on YouTube to set up their botnet," he said. "When following these tutorials, they do not change the default credentials. If they do change the credentials the password they supply is generally weak and therefore vulnerable to brute forcing."

What Subby is saying isn't anything new, at least for the security researchers who've been tracking IoT botnets.

Last month, Anubhav also interviewed the author of the Kepler IoT botnet, who admitted to having built the botnet following a tutorial and using random exploits he downloaded from the ExploitDB website.

Most IoT botnets today are built in a similar manner, by hackers, most of who are teenagers without any technical skills. They often forget to change default credentials (as it happened before, in June 2018) or change the IP address of their C&C server (as it happened last week, sending bot traffic into an abyss).

All 29 botnets accounted for a meager 25,000 bots

According to Subby, none of 29 hijacked botnets were particularly large in size. The hacker said that an initial bot count revealed a total of nearly 40,000, but after removing duplicates, the actual count was a meager 25,000 --which is considered low for one IoT botnet alone, let alone 29.

"I was able to get a reliable network traffic graph produced of the traffic generated from all the botnets combined and it was just under 300gbit/s," Subby said, which is, also, a pretty low traffic output.

Anubhav's full interview with Subby, which touches on other topics, is available here.

Related malware and cybercrime coverage: