Carna botnet – an interesting, amoral and illegal internet census

The hacker/researcher concerned says he had no malicious intent, just a positive purpose. In reality, his motivation was pure old-school hacker: “I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the internet in a way very few people ever will. I decided it would be worth my time.” In other words, his ultimate drive was his own curiosity and because he could.

The binaries he developed and deployed – it’s difficult to call them malware since they had no mal-intent; but it’s difficult not to call them malware since they were installed without invitation – were designed to do no harm, to run at the lowest possible priority, and included a watchdog to self-destruct if anything went wrong. He also included a readme file with “a contact email address to provide feedback for security researchers, ISPs and law enforcement who may notice the project.”

The results from the project are worrying but perhaps not surprising to other security researchers: “insecure devices are located basically everywhere on the Internet.” He does note, however, that his unofficial census shows that people are cavalier in what they attach to the internet. “If you believe that ‘nobody would connect that to the internet, really nobody’, there are at least 1000 people who did. Whenever you think ‘that shouldn't be on the Internet but will probably be found a few times’ it's there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”

He concludes that “while everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world.”

Whether the results he has made available to other researchers is of any real value, however, is a different matter. “The actual research itself is noteworthy in that it is the most comprehensive Internet-wide scan,” comments Mark Schloesser, a security researcher at Rapid7. “I’m still reviewing the findings, but so far nothing ‘mind-blowing’ has leapt out at me.” Nevertheless, he adds, “Generally this kind of research raises awareness of the real security and configuration issues affecting people, and hopefully helps them identify areas for action.”

What’s hot on Infosecurity Magazine?