DeepSec 2013 Talk: Europe In The Carna Botnet – Telnet’s Threat To The Largest Economy
Botnets have been around since 1999. These herds of networked and compromised systems (called zombies) are the tool of the trade for many groups. It’s the zombie outbreak of the information age. The analysis of existing botnets is an important task of security researchers around the globe. The study of the malware involved, the infection process and the inter-node communication of the infected systems is crucial for the dismantling of the botnet. Therefore we are happy to present Parth Shukla’s talk on the Carna botnet. It was created by an anonymous hacker to create a census of the (IPv4) Internet.
Parth has been analysing the devices that formed part of the Carna Botnet. The data concerning the devices was provided by the anonymous researcher. He has distributed the relevant data to many CERTs and related organisations across the world.
The Carna Botnet consisted of about 1.3 million devices worldwide that were compromised in order to perform a complete scan of the IPv4 Internet. The result of this scan was published in a paper called “Internet Census 2012”. However, the list of devices that that were used to perform the scan has never been made public.
This is an unusual botnet as no user interaction is required for a device to be vulnerable to the attack vector exploited by the Carna Botnet. The Carna Botnet scanned all allocated IPv4 ranges looking for an open telnet port and attempted to login with one of many default credentials. Default credentials would be things like username=admin and password=admin. Once a device was compromised, the device would then look for further vulnerable devices to compromise, essentially acting like a worm. A total of 1.3 million identifiable devices were found using this method. A lot of devices compromised had very limited shell so you couldn’t even run the command ‘ifconfig’ to get info on the MAC address or IP address. Such devices are not included in the 1.3 million that Parth has been analysing because it is difficult to identify them.
The analysis reveals that these vulnerable devices are rampant on the Internet. If scanning random IP ranges, it would take on average 4 minutes 30 seconds to find a vulnerable device in the world. If focusing only on IP ranges within Asia the time span is reduced to 1 minute 23 seconds. For Indian IP ranges it takes 60 seconds. For Chinese IP ranges 45 seconds. For IP ranges in Hong Kong, only about 13 seconds!
Certain manufacturers are more prominent in the data, revealing that this problem is concentrated to devices made by these few certain manufacturers. However, collaboration across multiple industries is required to tackle this problem before the transition to IPv6 is completed. The number of actual vulnerable devices on IPv4 is likely to be a lot more than 1.3 million, however these would not be in our data due to NAT. But after the IPv6 transition, once NAT is gone, poor router firewalls could expose a lot more vulnerable devices. Therefore transition to IPv6 is our ultimate deadline to dealing with this problem.
Fighting botnets cannot be done by individuals or small groups. It is an collaborate effort and requires participation. We highly recommend attending Parth’s talk and get in touch with him regarding his research about the Carna botnet.