Security

The security implications of 420,000 vulnerable hosts

Patrick Lambert presents a case of security findings that could get its researcher jail time. Is there such as thing as a "benevolent" botnet?

If you follow security news, or even just the tech press, you may have seen links to a very interesting paper about a researcher who mapped the entire IPv4 Internet space to see which hosts were alive, where they were in the world, and how much of the currently allocated IP space is in use. The more attention-grabbing headline, however, is the fact that to accomplish this, he created a 420,000-node botnet. He used low-security hosts where he could easily get in and deploy his script that would help map the Internet and create some amazing graphics like the one above.

Illegal botnet...or good research?

But of course, while the results are very interesting and have been covered on many sites, the security implications are many and have mostly been brushed under the rug. It can be good to go through these implications and what they mean for us and the Internet as a whole. The first obvious issue with this type of research is that while he had no malicious intent, and the scripts that he deployed did not contain any viruses or malware, he still deployed code to computers in an unauthorized manner. When publishing his paper, this researcher stayed anonymous, and for good reason. The US Government goes after hackers and those they consider to be computer criminals with great zeal. Earlier this month the infamous AT&T hacker was sentenced to 41 months in prison for accessing a publicly available URL and then releasing its content to the press. That's four years in jail for going to a public URL.

Still, it does appear that the anonymous researcher did everything he could to make the botnet experiment seem benevolent, even going so far as leaving a ReadMe file on each host with an explanation of the project. The result he got was certainly quite impressive, and paints some interesting pictures of the Internet. For example, it's striking how many IP ranges are allocated but unused. However, he did disclose just how he managed to get into so many hosts, which is a huge potential for mischief. (See Michael Kassner's recent post for more perspective, "Is uncovering digital vulnerabilities doing more harm than good?")

The way his scripts got into so many hosts is by using Telnet, and trying four username/password combinations: admin/admin, root/root, admin/(blank) and root/(blank). Any security pro, or in fact anyone using computers for any period of time, would know that these are terrible passwords. Even home routers come better secured than that these days. But apparently, there are quite a number of devices that used to come with these ridiculous defaults. And there are still 420,000 of them in use today.

The other scary thought is that all of this was achieved in only one day. From this paper, we learn that in order to scan all 3.6 billion addresses on the Internet, it would take 4,000 scanners just under a day to do it. That is a very fast time frame to achieve such an impressive botnet, and of course the complete list of exploitable sites is available in a torrent file he released of over 1 TB in size. Of course, one could imagine that with the release of such damning information, the owners of those wide-open hosts will be closing these holes. But if such old systems are still being used in an unsecured manner to this day, the chance that their owners will act now is slim. So don't be surprised if bad guys all over the world are jumping onto this with both feet.

Finally, the paper also reveals that while doing this, the researcher encountered yet another botnet that was already established on some of these open hosts, and tried to compete with it. This is a case of good guys versus bad guys in an Old West style shoot out. But while this may give some ideas about vigilante justice, the authorities have always been very clear that breaking the law like that, even if it's for a good intention, is not okay. Even if you know someone is infected by malware, going on their system and removing that malware without their consent can cause you a lot of problems.

For now, it doesn't appear like this new paper has led to an increase in malware propagation. Trend Micro runs a botnet activity scanner which shows how active these cyber criminals are, and so far botnet activity seems pretty stable, but that could eventually change. Of course the fact that a lot of hosts out there are vulnerable is not a new idea. For example, last year at DefCon a hacker scanned the entire net in 20 days without resorting to this sort of technique, and he came to a very similar conclusion -- that 450,000 hosts were vulnerable. You also don't need to be a DefCon hacker to do this. The Shodan project offers information on millions of hosts for free to everyone, all nicely categorized where some of the most used public searches are things like webcam, scada, default password, and Snom VOIP phones with no authentication. I'll let you imagine why that is.

So what does this all mean for us? It's just another confirmation of how easy and fast it can be to find vulnerabilities online. If the entire Internet can be scanned and mapped inside of a day, then this simply illustrates how critical it is to do your updates on a constant basis, and not leave any security hole exposed for any period of time. Quite often, hours is plenty of time for someone out there to detect your vulnerability. The Internet is still the Old West for these types of things, and only eternal vigilance will help keep us safe.

About

Patrick Lambert has been working in the tech industry for over 15 years, both as an online freelancer and in companies around Montreal, Canada. A fan of Star Wars, gaming, technology, and art, he writes for several sites including the art news commun...

13 comments
wdewey@cityofsalem.net
wdewey@cityofsalem.net

I am curious about the BGP routers that this researcher found. I personally can't see any company that has a valid AS number overlooking default usernames and passwords on their external devices. If you really want to mess with an organization BGP is the way to do it. Just google "Pakistan bgp youtube". Bill

Gisabun
Gisabun

Personally, scanning all [?] IP addreses is unethical and probably illegal in some countries - even scanning just one port.

leifnel
leifnel

That will give an infinite more IP's to scan and to hide in :-)

bradleyross
bradleyross

Two items It is possible that many of those vulnerable systems might have been honey pots trying to lure people into hacking them and revealing themselves Many of the blocks of IP addresses that were allocated but unused might have been blocked by various firewalls or inaccessible for other reasons. They also might have had ping and telnet turned off.

mckinnej
mckinnej

Anytime someone does some "white hat" reasearch/testing and publishes their results (which are almost always bad news), the so-called experts get all up in arms. Apparently they think that no one should be doing this testing, except maybe themselves, which they obviously are not doing or are not doing well. The obvious problem with that is the bad guys ARE testing and prodding and probing, ALL THE TIME. As tssys pointed out, "they" already know about this vulnerability or one very similar and have already used it. I would guess the reason it hasn't been used more is due to the limited horsepower and storage space these devices typically have. Maybe the whitehat's issue is the publication of results? They need to remove those rose-colored glasses. Keeping the results secret does not fix the problem or keep it secret. As we've seen over and over, the bad guys probably already know because they work at it harder. Also, most of the problems we see require one or more corporations to take action to fix the problem. Sorry, but they will do nothing unless there is profit it in (or to prevent a loss in profit). In this case the devices sound like they need a firmware update or for a user to change the password, if that's possible. (I have one device with the password embeded in the firmware. I would never expose it to the net for that very reason.) If the customers are unaware of the problem, there will be no pressue on the company to fix the problem, so they won't. There is no profit in it, so why should they? Unless the problem is exposed through published results, they have no motivation. It might not be the "right thing to do" in most people's eyes, but it is the reality of the world we live in.

jp-eng
jp-eng

He also used the silliest possible set of username/passwords. True, telnet is a mainly unix feature/problem and linux is a unix-like system. But unix-like also includes bsd, all the proprietary unixes, and many proprietary systems that offer unix-like resources including telnet. And as even most (all?) TR commentators have pointed out, no system is proof against foolish users, particularly system administration/programmer users!

Slayer_
Slayer_

It makes no difference to the amount of hacking going on.

tsssys
tsssys

I don't think that the paper states (or implies) that there are 420,00 vulnerable linux servers out on the web. Most of the "vulnerable" devices weren't available for their binaries. From the paper: "The vast majority of all unprotected devices are consumer routers or set-top boxes which can be found in groups of thousands of devices. A group consists of machines that have the same CPU and the same amount of RAM. However, there are many small groups of machines that are only available a few to a few hundred times. We took a closer look at some of those devices to see what their purpose might be and quickly found IPSec routers, BGP routers, x86 equipment with crypto accelerator cards, industrial control systems, physical door security systems, big Cisco/Juniper equipment and so on." "Approximately 70% of all open devices are either too small, don't run linux or only have a very limited telnet interface making it impossible to start or even upload a binary." Apparently what was left was wasn't all just linux webservers. It seems that most of these bots were other devices. Consider this: "Within one day our binary was deployed to around one hundred thousand devices - enough for our research purposes. We believe Aidra gained a litte more than half of that amount." More info on the Aidra botnet from atma.es: "In January 2012 we started detecting a great amount of attacks -mainly Telnet- coming from all sorts of devices like home routers, IPTV / set-top boxes, DVDRs, VoIP devices, IP cameras and media centers that had been hijacked by a new malware, named by its primary author 'The Aidra bot-net'." To me, this implies that most of the "servers" used by this bot weren't dedicated linux webservers at all. So what's going to happen when all these various devices that will come online in our fully automated homes and business have these security holes? Makes one wonder...

rduncan
rduncan

The 'vulnerable' servers, as part of the script which harvested them, had to be running Linux! -clearly this demonstrates what could have been the biggest compromise of all time (and still can be). I don't know of any server that automatically installs a telnet server, even modern windows desktop OS do not install a telnet CLIENT by default anymore, so that's 420,000 Linux servers with their front end firewall (if any) open for port 23 AND default usernames and passwords set. - that's not a security 'hole' nor does it have anything to do with updating you operating system. it sounds too good to be true, this would have been exposed a loooong time ago- I don't believe it

wdewey@cityofsalem.net
wdewey@cityofsalem.net

I believe that it used to be illegal to possess a "hacking" tool such as a port scanner. I haven't looked in a number of years to see if that is still true. Bill

wdewey@cityofsalem.net
wdewey@cityofsalem.net

That would be a lot of honey pots. All home routers come with default passwords and for many years users were not forced to change them. I see this being a totally valid scenario. I bet the numbers would increase if you did a little research and included additional default accounts. Bill

Gisabun
Gisabun

Surely those name/password combos aren't Windows. Some could be [home] routers but I think even most home routers use a variation of Linux.

wdewey@cityofsalem.net
wdewey@cityofsalem.net

Default usernames and passwords are very common in malware. This material has been presented elsewhere. It's more the scale of reporting and the method that is the buzz. Bill