Share

Related Links

Related Stories

  • New botnet found in Latin America
    A new botnet, AlbaBotnet, has been discovered in Latin America. It appears to be still in development and has not yet been used in anger. Currently it is designed to target two specific banks in Chile.
  • Kelihos botnet is back in action – Napping along the way
    The Nap malware identified last week by FireEye researchers is nothing less than a new version of the Kelihos botnet, it turns out. Despite two high-profile takedowns in September 2011 and March 2012, it appears to be back again, emanating from domains in Russia.
  • Joint Microsoft/Symantec operation takes down Bamital botnet
    Bamital is a click-fraud and search hijack operation that is estimated to have earned its operators around $1 million annually. Microsoft and Symantec have now identified and shut down all known components of the botnet.
  • Anatomy of a botnet targeting Facebook users
    PokerAgent, a trojan botnet that infected about 800 computers, mainly in Israel, and stole around 16,000 Facebook credentials during 2011/2012 is analyzed in depth.
  • Eastern European CERTs stage massive Virut botnet takedown
    A large Eastern European botnet has been thwarted in Poland and Russia – for now. Local Computer Emergency Response Teams (CERTs) and partners have shut down the Virut threat, which in Poland alone commanded more than 890,000 unique IP addresses.

Top 5 Stories

News

Carna botnet – an interesting, amoral and illegal internet census

20 March 2013

It started from a joke – we should try root:root to log on to random IP addresses. But it evolved from that into a botnet of port scanners able to port scan the entire IPv4 internet in very short order: a complete IPv4 internet census.

The hacker/researcher concerned says he had no malicious intent, just a positive purpose. In reality, his motivation was pure old-school hacker: “I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the internet in a way very few people ever will. I decided it would be worth my time.” In other words, his ultimate drive was his own curiosity and because he could.

The binaries he developed and deployed – it’s difficult to call them malware since they had no mal-intent; but it’s difficult not to call them malware since they were installed without invitation – were designed to do no harm, to run at the lowest possible priority, and included a watchdog to self-destruct if anything went wrong. He also included a readme file with “a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project.”

The results from the project are worrying but perhaps not surprising to other security researchers: “insecure devices are located basically everywhere on the Internet.” He does note, however, that his unofficial census shows that people are cavalier in what they attach to the internet. “If you believe that ‘nobody would connect that to the internet, really nobody’, there are at least 1000 people who did. Whenever you think ‘that shouldn't be on the Internet but will probably be found a few times’ it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”

He concludes that “while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.”

Whether the results he has made available to other researchers is of any real value, however, is a different matter. “The actual research itself is noteworthy in that it is the most comprehensive Internet-wide scan,” comments Mark Schloesser, a security researcher at Rapid7. “I’m still reviewing the findings, but so far nothing ‘mind-blowing’ has leapt out at me.” Nevertheless, he adds, “Generally this kind of research raises awareness of the real security and configuration issues affecting people, and hopefully helps them identify areas for action.”

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×