Botnet operators can be as clueless about security as their victims, according to Ankit Anubhav, Principal Researcher at NewSky Security, a cyber-security company specialized in IoT security.

Anubhav told Bleeping Computer that he recently stumbled upon two databases of two distinct IoT botnets secured with the trivial username and password combination of root/root.

Botnet herders didn't learn anything from their victims

What makes this incredibly ironic is that both databases belonged to botnets built with a version of Owari, a malware strain that infects IoT devices using weak or default credentials.

It appears that in their haste to take over IoT devices running on weak credentials, the botnet authors themselves forgot to choose a stronger username and password combo for their command and control (C&C) server's database

Because of this mistake, Anubhav was able to gain access to these botnets and retrieve details about infected devices, but also about the botnet operators and even some of the clients to whom they've rented out the botnet for DDoS attacks.

It's not exactly spelled out in the article, but the perp wasn't just stupid (using weak credentials). He was *creatively* stupid. You have to try hard, in order to make a MySQL database accessible to the whole world. Not something you can do accidentally. https://t.co/NzyNYSIcoS — Vess (@VessOnSecurity) June 4, 2018

Botnets moved C&C in the meantime

Both of these weakly secured botnet C&C servers —located at 80.211.232.43 and 80.211.45.89— are now offline.

They went offline as part of their regular modus operandi, Anubhav says. Both botnets regularly change the IP addresses of their C&C servers after one week.

Anubhav says the reason that miscreants regularly move C&C servers is because the IPs of their attack infrastructure get added to blacklists, and they need to move the C&C servers to new IPs in order to keep control of their attack infrastructure (bots, aka infected routers/IoT devices).

This also means that two Owari IoT botnets are still somewhere out there using root/root as their C&C server credentials. After today's revelation from Anubhav, these botnets won't last for long. Grayhat security researchers won't think twice about taking these botnets down, while other crooks will surely be looking into hijacking the weakly secured botnets from their original owners and adding it to their own.