Research Botnet Uses Default Passwords to Conduct “Internet Census”
Carna botnet – an interesting, amoral and illegal internet census  /  20 March 2013

It started from a joke – we should try root:root to log on to random IP addresses. But it evolved from that into a botnet of port scanners able to port scan the entire IPv4 internet in very short order: a complete IPv4 internet census. The hacker/researcher concerned says he had no malicious intent, just a positive purpose. In reality, his motivation was pure old-school hacker: “I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the internet in a way very few people ever will. I decided it would be worth my time.” In other words, his ultimate drive was his own curiosity and because he could. The binaries he developed and deployed – it’s difficult to call them malware since they had no mal-intent; but it’s difficult not to call them malware since they were installed without invitation – were designed to do no harm, to run at the lowest possible priority, and included a watchdog to self-destruct if anything went wrong. He also included a readme file with “a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project.”

The results from the project are worrying but perhaps not surprising to other security researchers: “insecure devices are located basically everywhere on the Internet.” He does note, however, that his unofficial census shows that people are cavalier in what they attach to the internet. “If you believe that ‘nobody would connect that to the internet, really nobody’, there are at least 1000 people who did. Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.” He concludes that “while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.” Whether the results he has made available to other researchers is of any real value, however, is a different matter. “The actual research itself is noteworthy in that it is the most comprehensive Internet-wide scan,” comments Mark Schloesser, a security researcher at Rapid7. “I’m still reviewing the findings, but so far nothing ‘mind-blowing’ has leapt out at me.” Nevertheless, he adds, “Generally this kind of research raises awareness of the real security and configuration issues affecting people, and hopefully helps them identify areas for action.”
Illegal botnet census finds 1.2m devices with default passwords
by Michael Lee  /  March 20, 2013

A common “script kiddie” technique to find vulnerable online computer systems is to attempt to scan a range of IP addresses for responsive known services, such as Telnet or SSH, and then attempt to log in using the default username and password. A crude physical analogy would be a burglar who walks from house to house in a neighbourhood, checking to see whether anyone has forgotten to put a lock on their door. With an opportunistic attack, given enough “neighbourhoods” and enough time, one could potentially gain an insight into how poorly protected people are. However, with the burglar being a single person, doing so would take them a prohibitively long time — unless, theoretically, they were able to recruit vulnerable households and send them to different neighbourhoods to do the same. That was the idea behind the Internet Census 2012 and the Carna botnet, an illegal project that, in addition to answering the big question of how many IPv4 addresses are in use, highlighted just how many people left their metaphorical front doors unlocked by using default passwords and user logins. In an author-less paper published on Bit Bucket, the Carna botnet outsourced the task of port scanning millions of IP addresses to vulnerable machines, beginning with a scan of about 100,000 IP addresses. “With 100,000 devices scanning at 10 probes per second, we would have a distributed port scanner to port scan the entire IPv4 internet within 1 hour,” the paper said.

The botnet itself did not spread using any sophisticated techniques, instead trying the username/password combinations of admin/admin, root/root, and both usernames with blank passwords. Between March and December 2012, the Carna botnet consisted of 420,000 clients. Despite having control of such a large network, the botnet remained relatively benign, as its intent was to collect data for research. The paper states that the author had “no interest to interfere with default device operation” and made no permanent changes to machines it infected. Removal of any uploaded files was a simple matter of rebooting the device, and a number of precautions were made to ensure that they would not interfere with normal device usage. “Our binaries were running with the lowest possible priority, and included a watchdog that would stop the executable in case anything went wrong. Our scanner was limited to 128 simultaneous connections, and had a connection timeout of 12 seconds,” the paper said. “We also uploaded a readme file containing a short explanation of the project, as well as a contact email address to provide feedback for security researchers, ISPs, and law enforcement who may notice the project.”

While the census found that the majority of vulnerable devices were consumer routers, the paper notes that a few vulnerable devices included industrial control systems and border gateway protocol routers responsible for assisting in finding country-wide routes for the wider internet. In simplistic terms, the latter routers help ISPs to find optimal routes through which to direct, at times, country-wide traffic, making it possible to cut entire nations off from the rest of the world. This protocol has been subject to attack in the past, such as when Syria was knocked off the internet last year, or when 15 percent of the world’s traffic was routed through China in 2010.

Hilbert map of the 420 Million IP addresses that responded to ICMP ping requests at least two times between June and October 2012. The IP space is mapped to a 2-dimensional Hilbert Curveas inspired by xkcd. For a zoomable, clickable version of this image as well as other data projected in a Hilbert curve take a look the Hilbert Browser.

Although Carna spread to 420,000 devices, it does not represent the total number of vulnerable ones; technical limitations, such as insufficient space for Carna’s binaries, meant that it could not run on certain devices. From the unique hardware addresses (MAC addresses) the botnet collected from vulnerable devices, the paper suggests that there were about 1.2 million unprotected devices in its census, and many more devices that were simply unable to report their hardware address. “A lot of devices and services we have seen during our research should never be connected to the public internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the internet, really nobody’, there are at least 1,000 people who did. Whenever you think, ‘that shouldn’t be on the internet, but will probably be found a few times’, it’s there a few hundred thousand times. Like half a million printers, or a million webcams, or devices that have root as a root password.” As insecure as these systems were, and the significant consequences that their exploitation may have brought, the paper chose to ignore all traffic going through them that was not relevant to its study in order to respect users’ privacy.

A twist in the study came in the form of another botnet that Carna discovered during its first initial scan of a few thousand devices. It discovered another bot called Aidra that the paper’s author said was “clearly made for malicious actions”. After examining what targets Aidra was looking at, Carna’s author decided to close the telnet service that it was using to spread on machines that it infected. In this manner, if Carna infected a machine it knew was being targeted by Aidra, it would gather its research data, then “auto-immunise” itself against the impending Aidra attack, therefore protecting the victim from being abused. “We figured that the collateral damage as a result of this action would be far less than Aidra exploiting these devices.” However, Carna’s policy of ensuring that no changes were ever made permanent meant that restarting the device would remove Carna as well as any protection it offered against Aidra.

The big question of the census, however, was how many 3.6 billion or so non-reserved IPv4 addresses are actually in use? “That depends on how you count. 420 million pingable IPs plus 36 million more that had one or more ports open, making 450 million that were definitely in use and reachable from the rest of the internet. 141 million IPs were firewalled, so they could count as ‘in use’. Together, this would be 591 million used IPs. 729 million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 billion used IP addresses. The other 2.3 billion addresses showed no sign of usage.” As for the rest of the data, the author has made it available for anyone who’s willing to download the 568GB compressed package. Uncompressed, the total data represents 9TB of raw logfiles, covering results from ping, reverse DNS, port scan, traceroute, and TCP IP fingerprint tests. “We hope other researchers will find the data we have collected useful, and that this publication will help raise some awareness that while everybody is talking about high-class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.”

Leave a Reply