Latest news
Researcher ropes poorly protected devices into botnet to map the Internet
Posted on 20 March 2013.
A fascinating but technically illegal experiment conducted by an anonymous researcher has witnessed over 420,000 Internet-connected devices being roped into a botnet that functioned as a distributed port scanner aimed at mapping IPv4 address usage across the Internet. A report about the experiment - simply named "Internet Census 2012" - has been published on Bitbucket and shared with the world.
To do the experiment, he (she?) created a binary to upload to devices that tries to use one of four combinations of root login credentials (root:root, admin:admin and both without passwords). When and where successful, the binary would give the device IP ranges to scan and instructions on reporting back to a previously prepared server.
"We had no interest to interfere with default device operation so we did not change passwords and did not make any permanent changes. After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore," the researcher explained.
"Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong. Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds. This limits the effective scanning speed to ~10 IPs per second per client. We also uploaded a readme file containing a short explanation of the project as well as a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project."
All in all, the researcher equipped some 420,000 devices with the binary, and points out that these were only about 25 percent of all unprotected devices they found. Most of them were consumer routers or set-top boxes, but some were IPSec and BGP routers, industrial control systems, big Cisco and Juniper equipment, etc.
According to the report, it took six months to work out the scanning strategy, develop the backend and setup the infrastructure for the experiment. While doing the former, the researcher discovered that some of the devices they used were also infected with the Aidra bot and enslaved into that botnet.
The researcher's own Carna botnet - named after the Roman goddess for the protection of inner organs and health, later confused with the goddess of doorsteps and hinges - effectively managed to map out the Internet.
Apart from discovering a massive amount of unprotected devices, the experiment revealed that some 1.3 billion IPv4 addresses are in use, and 2.3 billion addresses are not.
"With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible," the researcher wrote, hoping that other researchers would find the data useful.
The researcher also pointed out that the experiment revealed that "while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."
Follow @zeljkazorz
To do the experiment, he (she?) created a binary to upload to devices that tries to use one of four combinations of root login credentials (root:root, admin:admin and both without passwords). When and where successful, the binary would give the device IP ranges to scan and instructions on reporting back to a previously prepared server.
"We had no interest to interfere with default device operation so we did not change passwords and did not make any permanent changes. After a reboot the device was back in its original state including weak or no password with none of our binaries or data stored on the device anymore," the researcher explained.
"Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong. Our scanner was limited to 128 simultaneous connections and had a connection timeout of 12 seconds. This limits the effective scanning speed to ~10 IPs per second per client. We also uploaded a readme file containing a short explanation of the project as well as a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project."
All in all, the researcher equipped some 420,000 devices with the binary, and points out that these were only about 25 percent of all unprotected devices they found. Most of them were consumer routers or set-top boxes, but some were IPSec and BGP routers, industrial control systems, big Cisco and Juniper equipment, etc.
According to the report, it took six months to work out the scanning strategy, develop the backend and setup the infrastructure for the experiment. While doing the former, the researcher discovered that some of the devices they used were also infected with the Aidra bot and enslaved into that botnet.
The researcher's own Carna botnet - named after the Roman goddess for the protection of inner organs and health, later confused with the goddess of doorsteps and hinges - effectively managed to map out the Internet.
Apart from discovering a massive amount of unprotected devices, the experiment revealed that some 1.3 billion IPv4 addresses are in use, and 2.3 billion addresses are not.
"With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible," the researcher wrote, hoping that other researchers would find the data useful.
The researcher also pointed out that the experiment revealed that "while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world."
Follow @zeljkazorz
Spotlight
The CSO perspective on healthcare security and compliance
Posted on 20 May 2013. | Randall Gamby is the CSO of the Medicaid Information Service Center of New York. In this interview he discusses healthcare security and compliance challenges and offers a variety of tips.
Cyber espionage campaign uses professionally-made malware
Posted on 20 May 2013. | A massive cyber espionage campaign has been hitting government ministries, IT companies, academic research institutions, and more.
Ransomware adds password stealing to its arsenal
Posted on 17 May 2013. | Microsoft researchers are warning about a new variant of the well-known Reveton ransomware doing rounds.
IT security jobs: What's in demand and how to meet it
Posted on 15 May 2013. | Let's say you want a career in information security, where do you start? What credentials do you need? What are employers looking for? Read on to find some answers.
Hacking charge stations for electric cars
Posted on 15 May 2013. | Ofer Shezaf talks about what charge stations really are, why they have to be ‘smart’ and the potential risks created to the grid, to the car and most importantly to its owner’s privacy and safety.
Daily digest
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
Weekly newsletter
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.
 |
