Slashdot Mirror

← Back to Stories (view on slashdot.org)

Botnet Uses Default Passwords To Conduct "Internet Census 2012"

Posted by Unknown on from the neat-hack dept.

An anonymous reader writes "By using four different login combinations on the default Telnet port (root/root, admin/admin, root/[no password], and admin/[no password]), an anonymous researcher was able to log into (and upload a binary to) 'several hundred thousand unprotected devices' and run 'a super fast distributed port scanner' to scan the enitre IPv4 address space." From the report: "While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage. All data gathered during our research is released into the public domain for further study."

15 of 222 comments (clear)

  1. I can see where this is going by Daetrin · · Score: 5, Insightful

    Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed.

    They're so going to jail.

    --
    This Space Intentionally Left Blank
    1. Re:I can see where this is going by Anubis+IV · · Score: 5, Insightful

      If you're an ethical researcher wanting to run a distributed scan of the 'net, the proper way to do it is to use something like PlanetLab, which has been designed for uses like that and is freely available for research use. It's what everyone else uses, and it works great. Either that, or go and use your grant money to provision yourself appropriately for a job like this, which is what we did when I was in grad school. Commandeering routers and other devices for personal use is inexcusable.

      Honestly, my first thought was, "What research ethics committee gave him the go-ahead?" My guess: the researcher didn't ask, because none of them would ever let him do it. Besides consuming bandwidth for tens or hundreds of thousands of Internet users without their consent (some of whom were likely capped), he's also loaded code onto their machines: code which they have no guarantee will work as expected in all circumstances. In fact, for all they know, they may have bricked tens of thousands of devices without realizing they did so, then taken their lack of response later as a simple incompatibility with his code.

      When I was in grad school, we were doing web crawler and search engine research that was considered to be a bit on the edge of what was permissible (and our work resulted in serious threats of lawsuits aimed at our university), but we would never consider doing something like what they did. No credible conference or journal would publish this sort of work either, which is as it should be. Researchers have a responsibility to act responsible, and this anonymous one didn't.

      Also, you've said it was useful research, but it really wasn't. These vulnerabilities are widely documented, and those researchers were not only able to publish earlier, they were also able to do so without engaging in gross ethical violations.

    2. Re:I can see where this is going by Baloroth · · Score: 4, Insightful

      Useful research into vulnerabilities, wasn't used for personal gain, was reported to educate others and so security lapses could be fixed. They're so going to jail.

      Of course. They used broke into others computers, uploaded and executed binary files on them, without their permission, for their own purposes. That is both illegal and unethical. They should be punished for that.

      The reason why they did it is not terribly relevant (although it doesn't make it worse, since the end was not itself a crime). The ends do not justify the means. Breaking the door of a house down to tell the owners their door is easily broken down is still breaking and entering.

      --
      "None can love freedom heartily, but good men; the rest love not freedom, but license." --John Milton
    3. Re:I can see where this is going by mcgrew · · Score: 4, Insightful

      No, they left binaries on the devices and took data. That's more analogous to someone going into your unlocked house and trading your copy of LOTR with a candy bar wrapper left on the floor. Much more than simple trespass, it's trespassing, littering, vandalism, and theft.

      --
      Free Martian Whores!
  2. Re:So this is what? by Hatta · · Score: 5, Insightful

    The FBI only cares if you embarass a major campaign contributor. e.g. AT&T is the largest campaign contributor in the country, beating out even Goldman Sachs.

    --
    Give me Classic Slashdot or give me death!
  3. Re:correction by ls671 · · Score: 4, Funny

    So he is the guy responsible for all these logs on my firewall. I am glad he is over with his research. Those nasty log lines and the alerts I get should now go away!

    Mar 19 14:08:29 myhost sshd[15477]: Failed password for root from 58.247.50.59 port 33203 ssh2
    Mar 19 14:08:26 myhost sshd[15475]: Failed password for root from 58.247.50.59 port 60725 ssh2
    Mar 19 14:08:24 myhost sshd[15473]: Failed password for root from 58.247.50.59 port 59984 ssh2
    Mar 19 14:08:22 myhost sshd[15471]: Failed password for root from 58.247.50.59 port 59254 ssh2
    Mar 19 14:08:19 myhost sshd[15469]: Failed password for root from 58.247.50.59 port 58527 ssh2
    Mar 19 14:08:17 myhost sshd[15465]: Failed password for root from 58.247.50.59 port 57790 ssh2
    Mar 19 14:08:16 myhost sshd[15463]: Failed password for root from 58.247.50.59 port 57082 ssh2
    Mar 19 14:08:13 myhost sshd[15461]: Failed password for root from 58.247.50.59 port 56363 ssh2
    Mar 19 14:08:11 myhost sshd[15459]: Failed password for root from 58.247.50.59 port 55647 ssh2
    Mar 19 14:08:09 myhost sshd[15457]: Failed password for root from 58.247.50.59 port 54922 ssh2
    Mar 19 14:08:06 myhost sshd[15455]: Failed password for root from 58.247.50.59 port 54195 ssh2
    Mar 19 14:08:04 myhost sshd[15453]: Failed password for root from 58.247.50.59 port 53487 ssh2
    Mar 19 14:08:01 myhost sshd[15449]: Failed password for root from 58.247.50.59 port 52734 ssh2
    Mar 19 14:07:59 myhost sshd[15447]: Failed password for root from 58.247.50.59 port 52018 ssh2
    Mar 19 14:07:57 myhost sshd[15445]: Failed password for root from 58.247.50.59 port 49218 ssh2
    Mar 19 14:08:38 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12700 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Mar 19 14:08:32 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12699 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0
    Mar 19 14:08:29 myhost kernel: CONNECT LIMIT: IN=eth2 OUT= MAC=00:0a:cd:1c:43:7d:00:26:cb:70:f0:4f:08:00 SRC=58.247.50.59 DST=X.X.X.X LEN=60 TOS=0x00 PREC=0x00 TTL=46 ID=12698 DF PROTO=TCP SPT=33971 DPT=22 WINDOW=14600 RES=0x00 SYN URGP=0

    --
    Everything I write is lies, read between the lines.
  4. Re:Door by NeutronCowboy · · Score: 5, Interesting

    Man, some people are a paranoid bunch. If someone leaves a flyer on my door that says "You had 2 open windows and one unlocked door", and a similar flyer is on everyone's door, I'll actually thank the good Samaritan. If I see someone looking at doors and windows, taking notes, then putting a flyer on my door, I'll ask him what he's doing, why, and find out what he's actually up to. If he's friendly and forthcoming, I'll thank him and send him on his way. If he's belligerent, then maybe I'll start to consider self-defense.

    But to shoot someone just because they are walking around the neighborhood, surveying every house? Yeah, the US doesn't have a gun problem. We have a response problem.

    --
    Those who can, do. Those who can't, sue.
  5. This is all very bad by houghi · · Score: 4, Insightful

    Postings all go about how this is illegal and not about the technical situation.

    It is sad times when people are more worried about the legal thread and ruining their lives and not about the technical implications.

    How many people do not dare to bring solutions because they might be punished?

    --
    Don't fight for your country, if your country does not fight for you.
  6. Which is why by Overzeetop · · Score: 4, Funny

    Which is why I always use admin/root for username and password on my systems. You'd think these people would learn not to be so careless. :-)

    --
    Is it just my observation, or are there way too many stupid people in the world?
  7. Re:After a reboot ...original state by malakai · · Score: 5, Interesting

    They didn't force the reboot. So they don't need to calculate for lost uptime.
    But they do concede what bandwidth they used and processing time. You could argue they used extra energy, CPU load, and bandwidth, and that equates to money.

    What they really got 'lucky' on, is that they didn't code in a fatal flaw and accidentally create something that had a race condition that resulted in distributed DOS to every IP on the network. We've seen things come close to that in the past with worms. I put quotes around lucky, because I think these guys did their homework, and specifically validated their experiment in a limited environment before releasing it.

    That said, your test environment is rarely a perfect simulacrum for the real world.

    It's a very scary grey hat project. I thought this finding was interesting though:

    So, how big is the Internet?
    That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as "in use". Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.

    Based in their rather thorough analysis, only about half the IPV4 address space is being actively used.

    I kind of feel this is a little akin to working with scientific research that comes from morally grey or even black experiments...

    Another thing to consider about this, is based on the platform they built, they could go for the Black Knight approach, and rescue all the flawed devices without their consent. You could easily see taking this project and saying "How do we patch the devices in a way that causes the least amount of harm, and adds the most amount of security".....

    Inoculation can kill though...

    Fine line... very fine line. End of the day, these guys hacked and compromised systems with their own binaries, and then used them to compromise other devices. They'd go to jail if they were discovered. Simple truth.

    --
    -Malakai
    A Dragon Lives in my Garage
  8. Re:So this is what? by juancn · · Score: 4, Interesting
    He did 420000 intrusions, it's probably a lot more than that. In NY it would be up to 420000 years just for unauthorized computer use I believe.

    Still, really cool hack (in the classic sense), it is conceptually similar to a Von Neumman probe.

  9. Re:correction by Lumpy · · Score: 5, Interesting

    After 1 attempt for ROOT I blackhole the ip address for 90 days Nobody should ever try to log in as root, so any login attempt should black hole that IP forever. 3 minutes of script writing is all it takes to do that.

    --
    Do not look at laser with remaining good eye.
  10. Re:Door by malakai · · Score: 4, Informative

    This wasn't a simple port scan. I RTFA, so let me help you out.

    He ( there is no They or We, read the end of the article ) compromised devices and uploaded his own code. He was 'nice' about it, in the sense he set the priority to 'NICE' and he put in some watchdogs and throttled bandwidth usage. He then used those compromised devices to further utilize other devices to do even more work ( like using your Router HTTP interface to execute Traceroute on his behalf, possibly inside your network ).

    For the vast majority of the IP's he just NMAP/ICMP sure, that's nothing these days. For the half a million devices he turned into his own bot net.... that's illegal.

    Also, he then released all the data. You could say that's good, or you can say that as a script kiddie, all I have to do is d/l that torrent to get a list IP's that run a version/flavor that I have a 0day on. No more need to scan the net myself.

    This is going to accelerate bot net growth. That may be good, maybe we'll finally figure out some way to detach/block IP's that fail to patch.

    --
    -Malakai
    A Dragon Lives in my Garage
  11. Re:Why are there no counter attacks? by Jah-Wren+Ryel · · Score: 5, Interesting

    I mean after 30+ years of connected networks there is no such thing as an offensive strike in cyber terrorism?

    Because it is a terrible, terrible idea. If automated counter-attacks were to become the norm, then all it would take to start a "war" between two groups is for someone to compromise just one system at the first group and set it to attacking the second group. Think mutual assured destruction except Anonymous has their finger on the button and it's labeled "lulz."

    --
    When information is power, privacy is freedom.
  12. Re:correction by viperidaenz · · Score: 4, Funny

    Just take a root login attempt from slashdots hosts. Then we won't have to hear from him for 90 days.