[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
From: Gage Bystrom <themadichib0d () gmail ! com>
Date: 2013-03-27 21:34:04
Message-ID: CAM2Hf5mHTKfCuofugWLV3sVOhrSyKf98e1pbFC1eTA-0xkdQVA () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
I think its simply a case of everyone more or less knew this was possible
and quite easy to pull off, just no one publicly bothered to get around to
doing it till now. Afterall its just a large mass of low hanging fruit
compromised to gather data. I'm more impressed by how they aggragated said
data together without leaving a nasty trail. Of course I'm giving them the
benefit of the doubt that they covered their tracks reasonably or have some
sort of means to not worry about law enforcement.
On Mar 26, 2013 8:23 PM, "Stefan Jon Silverman" <sjs@sjsinc.com> wrote:
> Was really surprised that outside of Vladis's comment on feeding the
> BlackHats this provoked no further discussion...w/in a few minutes of it
> arriving I had fired off a forward to several colleagues w/ the comment
> that it should provoke an interesting discussion here on the sheer number
> of compromised devices to accomplish his goal....dead air....oh well,
> sometimes sh*t happens and sometimes is doesn't...
>
> Until this ended up in an eNewsRag in my inbox today (good read): "*The
> Dark Side of the Internet of Things*" -->
> http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608
>
>
> Regards,
> Stefan
>
> **************************************************************************
> *Stefan Jon Silverman*<http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google>- Founder / \
> President SJS Associates, N.A., Inc.
> A Technology Strategy Consultancy
> **************************************************************************
> Cell *917 929 1668* *sjs@sjsinc.com*<sjs@sjsinc.com>
> eMail
> *www.sjsinc.com*<http://www.sjsinc.com/?%20eMail%20Sig>
> **************************************************************************
> Aim/Skype/GoogleIM: *LazloInSF* Twitter/Yahoo: *sjs_sf*
> **************************************************************************
> Weebles wobble but they don't fall down!!!!
> **************************************************************************
>
> On 3/17/2013 4:54 PM, internet census wrote:
>
> --------------------- Internet Census 2012 ---------------------
>
> -------- Port scanning /0 using insecure embedded devices --------
>
> ------------------------- Carna Botnet -------------------------
>
>
> While playing around with the Nmap Scripting Engine we discovered an amazing
> number of open embedded devices on the Internet. Many of them are based on
> Linux and allow login to standard BusyBox with empty or default credentials.
> From March to December 2012 we used ~420 Thousand insecure embedded devices
> as a distributed port scanner to scan all IPv4 addresses.
> These scans include service probes for the most common ports, ICMP ping,
> reverse DNS and SYN scans. We analyzed some of the data to get an estimation
> of the IP address usage.
>
> All data gathered during our research is released into the public domain for
> further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ
> and is available via BitTorrent. The dataset contains:
> - 52 billion ICMP ping probes
> - 10.5 billion reverse DNS records
> - 180 billion service probe records
> - 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested
> - 80 million TCP/IP fingerprints
> - 75 million IP ID sequence records
> - 68 million traceroute records
>
>
> This project is, to our knowledge, the largest and most comprehensive
> IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012
> may have been the last time a census like this was possible. A full documention,
> including statistics and images, can be found on the project page.
>
> We hope other researchers will find the data we have collected useful and that
> this publication will help raise some awareness that, while everybody is talking
> about high class exploits and cyberwar, four simple stupid default telnet
> passwords can give you access to hundreds of thousands of consumer as well as
> tens of thousands of industrial devices all over the world.
>
> No devices were harmed during this experiment and our botnet has now ceased its
> activity.
>
>
>
> Project Page:
> http://internetcensus2012.bitbucket.org/
> http://internetcensus2012.github.com/InternetCensus2012/
> http://census2012.sourceforge.net/
>
> Torrent MAGNET LINK:
> magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fe&dn=InternetCensus2012&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80% \
> 2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
[Attachment #5 (text/html)]
<p>I think its simply a case of everyone more or less knew this was possible and quite easy to \
pull off, just no one publicly bothered to get around to doing it till now. Afterall its just a \
large mass of low hanging fruit compromised to gather data. I'm more impressed by how they \
aggragated said data together without leaving a nasty trail. Of course I'm giving them the \
benefit of the doubt that they covered their tracks reasonably or have some sort of means to \
not worry about law enforcement.</p>
<div class="gmail_quote">On Mar 26, 2013 8:23 PM, "Stefan Jon Silverman" <<a \
href="mailto:sjs@sjsinc.com">sjs@sjsinc.com</a>> wrote:<br type="attribution"><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<div><font size="-1"><font face="Arial">Was
really <font size="-1">surprised</font> t<font size="-1">hat
outside of Vladis's comment on feeding the BlackHats this
provoked no further discussion...w/in a few minutes of it
arriving I had fired off a <font size="-1">forward to
several colleagues w/ the comment that it should provoke
an <font size="-1">interesting</font> discussion <font size="-1">here</font> on \
the sheer number of compromised devices to accomplish his goal....dead air....oh well,
sometimes sh*t happens and sometimes is doesn't...<br>
<br>
<font size="-1">Until this ended up in an eNewsRag in my
inbox today (good read): "</font></font></font></font></font><font \
size="-1"><font face="Arial"><font size="-1"><font size="-1"><font size="-1"><b>The Dark Side \
of the Internet of Things</b>"
--> <a \
href="http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608" \
target="_blank">http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608</a></font><br>
</font></font></font></font>
<div>
<div> </div>
<div> </div>
<div>
<div align="left">
<div align="left"><font face="Arial">Regards,</font></div>
<div align="left"><font face="Arial">Stefan</font></div>
<div align="left"> </div>
<div align="left"><font \
face="Arial">**************************************************************************<br>
<span> </span> <a \
href="http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google" target="_blank"><strong>Stefan Jon \
Silverman</strong></a> - Founder / President<br>
<span> </span> <span> </span>SJS Associates,
N.A., Inc.<br>
<span> </span> A
Technology Strategy Consultancy</font></div>
<div align="left"><font \
face="Arial">**************************************************************************<br>
</font><span><font face="Arial"><font><span>Cell </span><strong>917
929 1668</strong><span>
<span><span></span><a href="mailto:sjs@sjsinc.com" \
target="_blank"><strong>sjs@sjsinc.com</strong></a> \
eMail</span></span></font></font></span></div> <div align="left"><span><span><font \
face="Arial"> <span> </span> </font><span><font face="Arial"> \
</font><a href="http://www.sjsinc.com/?%20eMail%20Sig" target="_blank"><font \
face="Arial"><strong>www.sjsinc.com</strong></font></a><font face="Arial"> </font><span><br>
</span><font \
face="Arial">************************************************************************** \
</font></span></span></span></div> <div align="left"><span><span><span><font \
face="Arial">Aim/Skype/GoogleIM: <font color="#0000ff"><strong>LazloInSF</strong></font><span> \
<span> <span> </span></span></span>Twitter/Y<span>a</span><span>hoo</span>: \
</font><font face="Arial"><font><font color="#0000ff"><strong>sjs_sf</strong><br>
\
</font>************************************************************************** <br>
Weebles wobble but they don't fall
down!!!! <br>
\
************************************************************************** <br>
</font></font></span></span></span></div>
</div>
</div>
<div> </div>
</div>
On 3/17/2013 4:54 PM, internet census wrote:<br>
</div>
<blockquote type="cite">
<pre>--------------------- Internet Census 2012 ---------------------
-------- Port scanning /0 using insecure embedded devices --------
------------------------- Carna Botnet -------------------------
While playing around with the Nmap Scripting Engine we discovered an amazing
number of open embedded devices on the Internet. Many of them are based on
Linux and allow login to standard BusyBox with empty or default credentials.
From March to December 2012 we used ~420 Thousand insecure embedded devices
as a distributed port scanner to scan all IPv4 addresses.
These scans include service probes for the most common ports, ICMP ping,
reverse DNS and SYN scans. We analyzed some of the data to get an estimation
of the IP address usage.
All data gathered during our research is released into the public domain for
further study. The full 9 TB dataset has been compressed to 565GB using ZPAQ
and is available via BitTorrent. The dataset contains:
- 52 billion ICMP ping probes
- 10.5 billion reverse DNS records
- 180 billion service probe records
- 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested
- 80 million TCP/IP fingerprints
- 75 million IP ID sequence records
- 68 million traceroute records
This project is, to our knowledge, the largest and most comprehensive
IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012
may have been the last time a census like this was possible. A full documention,
including statistics and images, can be found on the project page.
We hope other researchers will find the data we have collected useful and that
this publication will help raise some awareness that, while everybody is talking
about high class exploits and cyberwar, four simple stupid default telnet
passwords can give you access to hundreds of thousands of consumer as well as
tens of thousands of industrial devices all over the world.
No devices were harmed during this experiment and our botnet has now ceased its
activity.
Project Page:
<a href="http://internetcensus2012.bitbucket.org/" \
target="_blank">http://internetcensus2012.bitbucket.org/</a> <a \
href="http://internetcensus2012.github.com/InternetCensus2012/" \
target="_blank">http://internetcensus2012.github.com/InternetCensus2012/</a> <a \
href="http://census2012.sourceforge.net/" \
target="_blank">http://census2012.sourceforge.net/</a>
Torrent MAGNET LINK:
magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fe&dn=InternetCensus2012&tr=udp%3a%2f%<a \
href="http://2ftracker.openbittorrent.com" \
target="_blank">2ftracker.openbittorrent.com</a>%3a80% 2fannounce&tr=udp%3a%2f%<a \
href="http://2ftracker.ccc.de" \
target="_blank">2ftracker.ccc.de</a>%3a80%2fannounce&tr=udp%3a%2f%<a \
href="http://2ftracker.publicbt.com" target="_blank">2ftracker.publicbt.com</a>%3a80%2fannounce \
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a> Hosted and sponsored \
by Secunia - <a href="http://secunia.com/" target="_blank">http://secunia.com/</a></pre> \
</blockquote> <br>
</div>
<br>_______________________________________________<br>
Full-Disclosure - We believe in it.<br>
Charter: <a href="http://lists.grok.org.uk/full-disclosure-charter.html" \
target="_blank">http://lists.grok.org.uk/full-disclosure-charter.html</a><br> Hosted and \
sponsored by Secunia - <a href="http://secunia.com/" \
target="_blank">http://secunia.com/</a><br></blockquote></div>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic