[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
- To: internet census <internetcensus2012@xxxxxxxx>
- Subject: Re: [Full-disclosure] Port scanning /0 using insecure embedded devices
- From: Stefan Jon Silverman <sjs@xxxxxxxxxx>
- Date: Tue, 26 Mar 2013 20:21:39 -0700
<html>
<head>
<meta content="text/html; charset=ISO-8859-1"
http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix"><font size="-1"><font face="Arial">Was
really <font size="-1">surprised</font> t<font size="-1">hat
outside of Vladis's comment on feeding the BlackHats this
provoked no further discussion...w/in a few minutes of it
arriving I had fired off a <font size="-1">forward to
several colleagues w/ the comment that it should provoke
an <font size="-1">interesting</font> discussion <font
size="-1">here</font> on the sheer number of compromised
devices to accomplish his goal....dead air....oh well,
sometimes sh*t happens and sometimes is doesn't...<br>
<br>
<font size="-1">Until this ended up in an eNewsRag in my
inbox today (good read):
"</font></font></font></font></font><font
size="-1"><font face="Arial"><font size="-1"><font size="-1"><font
size="-1"><b>The Dark Side of the Internet of Things</b>"
--> <a
href="http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608";>http://www.networkcomputing.com/next-generation-data-center/servers/the-dark-side-of-the-internet-of-things/240151608</a></font><br>
</font></font></font></font>
<div class="moz-signature">
<title>Message</title>
<meta http-equiv="Content-Type" content="text/html;
charset=ISO-8859-1">
<meta content="MSHTML 6.00.2900.2668" name="GENERATOR">
<div> </div>
<div> </div>
<div>
<div align="left">
<div align="left"><font size="2" face="Arial">Regards,</font></div>
<div align="left"><font size="2" face="Arial">Stefan</font></div>
<div align="left"> </div>
<div align="left"><font size="2"
face="Arial">**************************************************************************<br>
<span
class="406481714-22042004"> </span> <a
href="http://www.sjsinc.com/cgi-bin/DoRedirect?sig-google";><strong>Stefan
Jon Silverman</strong></a> - Founder / President<br>
<span
class="406481714-22042004">
</span> <span
class="406481714-22042004"> </span>SJS Associates,
N.A., Inc.<br>
<span
class="406481714-22042004"> </span> A
Technology Strategy Consultancy</font></div>
<div align="left"><font size="2"
face="Arial">**************************************************************************<br>
</font><span class="406481714-22042004"><font face="Arial"><font
size="2"><span class="266234215-06082004">Cell
</span><strong>917
929 1668</strong><span
class="266234215-06082004">
<span
class="406481714-22042004"><span
class="406481714-22042004"></span><a
href="mailto:sjs@xxxxxxxxxx";><strong>sjs@xxxxxxxxxx</strong></a>
eMail</span></span></font></font></span></div>
<div align="left"><span class="406481714-22042004"><span
class="266234215-06082004"><font size="2"
face="Arial"> <span
class="146163119-06072005">
</span> </font><span
class="406481714-22042004"><font size="2"
face="Arial"> </font><a
href="http://www.sjsinc.com/?%20eMail%20Sig";><font
size="2"
face="Arial"><strong>www.sjsinc.com</strong></font></a><font
size="2" face="Arial"> </font><span
class="406481714-22042004"><br>
</span><font size="2"
face="Arial">**************************************************************************
</font></span></span></span></div>
<div align="left"><span class="406481714-22042004"><span
class="266234215-06082004"><span
class="406481714-22042004"><font size="2"
face="Arial">Aim/Skype/GoogleIM: <font
color="#0000ff"><strong>LazloInSF</strong></font><span
class="739403617-04042003"> <span
class="266234215-06082004"> <span
class="535065215-06082004">
</span></span></span>Twitter/Y<span
class="535065215-06082004">a</span><span
class="535065215-06082004">hoo</span>: </font><font
face="Arial"><font size="2"><font
color="#0000ff"><strong>sjs_sf</strong><br>
</font>**************************************************************************
<br>
Weebles
wobble but they don't fall
down!!!! <br>
**************************************************************************
<!--TMP-LFT <BR><IMG
SRC="http://www.sjsinc.com/cgi-bin/1pix-img?XXXSigToken"; BORDER=0 HEIGHT=0
WIDTH=0 > <BR> TMP-RT--><!-- --><br>
</font></font></span></span></span></div>
</div>
</div>
<div> </div>
</div>
On 3/17/2013 4:54 PM, internet census wrote:<br>
</div>
<blockquote cite="mid:20130317235437.199750@xxxxxxx" type="cite">
<pre wrap="">--------------------- Internet Census 2012
---------------------
-------- Port scanning /0 using insecure embedded devices --------
------------------------- Carna Botnet -------------------------
While playing around with the Nmap Scripting Engine we discovered an
amazing
number of open embedded devices on the Internet. Many of them are based on
Linux and allow login to standard BusyBox with empty or default
credentials.
From March to December 2012 we used ~420 Thousand insecure embedded
devices
as a distributed port scanner to scan all IPv4 addresses.
These scans include service probes for the most common ports, ICMP ping,
reverse DNS and SYN scans. We analyzed some of the data to get an
estimation
of the IP address usage.
All data gathered during our research is released into the public domain
for
further study. The full 9 TB dataset has been compressed to 565GB using
ZPAQ
and is available via BitTorrent. The dataset contains:
- 52 billion ICMP ping probes
- 10.5 billion reverse DNS records
- 180 billion service probe records
- 2.8 billion sync scan records for 660 million IPs with 71 billion ports tested
- 80 million TCP/IP fingerprints
- 75 million IP ID sequence records
- 68 million traceroute records
This project is, to our knowledge, the largest and most comprehensive
IPv4 census ever. With a growing number of IPv6 hosts on the Internet,
2012
may have been the last time a census like this was possible. A full
documention,
including statistics and images, can be found on the project page.
We hope other researchers will find the data we have collected useful and
that
this publication will help raise some awareness that, while everybody is talking
about high class exploits and cyberwar, four simple stupid default telnet
passwords can give you access to hundreds of thousands of consumer as well
as
tens of thousands of industrial devices all over the world.
No devices were harmed during this experiment and our botnet has now ceased
its
activity.
Project Page:
<a class="moz-txt-link-freetext"
href="http://internetcensus2012.bitbucket.org/";>http://internetcensus2012.bitbucket.org/</a>
<a class="moz-txt-link-freetext"
href="http://internetcensus2012.github.com/InternetCensus2012/";>http://internetcensus2012.github.com/InternetCensus2012/</a>
<a class="moz-txt-link-freetext"
href="http://census2012.sourceforge.net/";>http://census2012.sourceforge.net/</a>
Torrent MAGNET LINK:
magnet:?xt=urn:btih:7e138693170629fa7835d52798be18ab2fb847fe&dn=InternetCensus2012&tr=udp%3a%2f%2ftracker.openbittorrent.com%3a80%
2fannounce&tr=udp%3a%2f%2ftracker.ccc.de%3a80%2fannounce&tr=udp%3a%2f%2ftracker.publicbt.com%3a80%2fannounce
_______________________________________________
Full-Disclosure - We believe in it.
Charter: <a class="moz-txt-link-freetext"
href="http://lists.grok.org.uk/full-disclosure-charter.html";>http://lists.grok.org.uk/full-disclosure-charter.html</a>
Hosted and sponsored by Secunia - <a class="moz-txt-link-freetext"
href="http://secunia.com/";>http://secunia.com/</a></pre>
</blockquote>
<br>
</body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/