An experiment with Botnets

[GostHacked]

http://www.bbc.co.uk/news/technology-21875127

A surreptitious scan of the entire internet has revealed millions of printers, webcams and set-top boxes protected only by default passwords.

An anonymous researcher used more than 420,000 of these insecure devices to test the security and responsiveness of other gadgets, in a nine-month survey.

Using custom-written code, they sent out more than four trillion messages.

The net's current addressing scheme accommodates about 4.2 billion devices. Only 1.3 billion addresses responded.

The number of addresses responding was a surprise as the pool of addresses for that scheme has run dry. As a result, the net is currently going through a transition to a new scheme that has a vastly larger pool of addresses available.

Based on this paper.

http://internetcensus2012.bitbucket.org/paper.html

Internet Census 2012

Port scanning /0 using insecure embedded devices

Carna Botnet

Abstract While playing around with the Nmap Scripting Engine (NSE) we discovered an amazing number of open embedded devices on the Internet. Many of them are based on Linux and allow login to standard BusyBox with empty or default credentials. We used these devices to build a distributed port scanner to scan all IPv4 addresses. These scans include service probes for the most common ports, ICMP ping, reverse DNS and SYN scans. We analyzed some of the data to get an estimation of the IP address usage.

All data gathered during our research is released into the public domain for further study.

1 Introduction

Two years ago while spending some time with the Nmap Scripting Engine (NSE) someone mentioned that we should try the classic telnet login root:root on random IP addresses. This was meant as a joke, but was given a try. We started scanning and quickly realized that there should be several thousand unprotected devices on the Internet.

After completing the scan of roughly one hundred thousand IP addresses, we realized the number of insecure devices must be at least one hundred thousand. Starting with one device and assuming a scan speed of ten IP addresses per second, it should find the next open device within one hour. The scan rate would be doubled if we deployed a scanner to the newly found device. After doubling the scan rate in this way about 16.5 times, all unprotected devices would be found; this would take only 16.5 hours. Additionally, with one hundred thousand devices scanning at ten probes per second we would have a distributed port scanner to port scan the entire IPv4 Internet within one hour.

hack hack hack hack hack.

1 - Change the default passwords.

2 - If you are worried about security, do NOT connect the device to the Internet.

The more things are connected the more problems we are going to see with all this technology.

Edited March 21, 2013 by GostHacked

[eyeball]

What does this mean in English - unplug my printer?

[GostHacked]

It means that many devices connected to the Internet are still using the manufacturers default username and password. In many cases people don't see the need to change or secure that stuff because they think it does not happen to them. In a world of everything being so interconnected, these things are bound to be found out.

I don't think that it is really talking about printers connected directly to your PC. More it is talking about if your printer is connected to your network through a router or wifi and you have not secured it in some way. So it would not be that hard to take over your printer, or render it useless by changing or messing with software/hardware settings.

But for me I unplug items a good deal of the time. I have a webcam which is USB to the PC, and I unplug it when I am not using it. I do have my network secure, but I have experienced it before with a backdoor virus where someone was able to connect to my MSN list and take complete control of my computer. Back door viruses are a different situation where no matter how much security you have, if the virus allows a remote user to connect, your PC are belong to them.

[TimG]

What does this mean in English - unplug my printer?

It means get a router with a firewall. In most cases the default settings will block all external access to your computers at your home (even if you keep the default password). Most wireless routers you can buy at places like future shop have a firewall.

As a general rule NEVER connect anything other than your router with a firewall to your telco/cable box. If you travel and use hotel connections ALWAYS enable the windows firewall and set the network type 'public'.

Edited March 21, 2013 by TimG

[GostHacked]

It means get a router with a firewall. In most cases the default settings will block all external access to your computers at your home (even if you keep the default password). Most wireless routers you can buy at places like future shop have a firewall.

As a general rule NEVER connect anything other than your router with a firewall to your telco/cable box. If you travel and use hotel connections ALWAYS enable the windows firewall and set the network type 'public'.

Unless you lock down all the ports as well, you still run a risk. There are 65,000 ports by nature of the TCP/IP protocol. Configure the router and your apps to work on a few selected ports and lock all the others ones out.

[TimG]

Unless you lock down all the ports as well, you still run a risk. There are 65,000 ports by nature of the TCP/IP protocol. Configure the router and your apps to work on a few selected ports and lock all the others ones out.

By default all incoming ports are blocked with these cheap routers. Also - I don't agree with the premise that an open port is automatically a security risk - it is only a security risk if you don't know or don't trust what is listening on that port. If nothing is listening then there is absolutely no risk. Edited March 21, 2013 by TimG

[GostHacked]

By default all incoming ports are blocked with these cheap routers. Also - I don't agree with the premise that an open port is automatically a security risk - it is only a security risk if you don't know or don't trust what is listening on that port. If nothing is listening then there is absolutely no risk.

Port 80. Most commonly used port, specifically used for bringing web page content to your browser. So many plugins for browsers and toolbars will use Port 80 as well. And in many cases, we have seen many security flaws in something like Internet Explorer which no matter how much protection you have, all rendered useless by some flaw that even Microsoft does not even know about. Happens quite often.

[TimG]

Port 80. Most commonly used port, specifically used for bringing web page content to your browser.

You would need to have a web server running on your PC for port 80 to be a concern to these port scanners. The vast majority of people don't do that and the standard firewall routers block port 80 by default anyways. The browser only enters into the equation if you are going OUT on port 80 which is an entirely different problem that has nothing to do with your initial post. Edited March 21, 2013 by TimG

[GostHacked]

You would need to have a web server running on your PC for port 80 to be a concern to these port scanners. The vast majority of people don't do that and the standard firewall routers block port 80 by default anyways. The browser only enters into the equation if you are going OUT on port 80 which is an entirely different problem that has nothing to do with your initial post.

Yes I would say this does not have anything to do with the OP, but I will add this ....

You don't need to run a web server to have issues on Port 80. By nature of the TCP/IP protocol, there is a signal going both ways, from your PC to the website, and then back again. There are some services that can use UDP (which does not need a reply) but in the majority of cases there will be a datapacket sent out, and one returned on the same port.

Yes the article deals with port scanning for open ports, and latching on to a PC via backdoor virus is a different situation.