If you follow security news, or even just the tech press, you may have seen links to a very interesting paper about a researcher who mapped the entire IPv4 Internet space to see which hosts were alive, where they were in the world, and how much of the currently allocated IP space is in use. The more attention-grabbing headline, however, is the fact that to accomplish this, he created a 420,000-node botnet. He used low-security hosts where he could easily get in and deploy his script that would help map the Internet and create some amazing graphics like the one above.
Illegal botnet…or good research?
But of course, while the results are very interesting and have been covered on many sites, the security implications are many and have mostly been brushed under the rug. It can be good to go through these implications and what they mean for us and the Internet as a whole. The first obvious issue with this type of research is that while he had no malicious intent, and the scripts that he deployed did not contain any viruses or malware, he still deployed code to computers in an unauthorized manner. When publishing his paper, this researcher stayed anonymous, and for good reason. The US Government goes after hackers and those they consider to be computer criminals with great zeal. Earlier this month the infamous AT&T hacker was sentenced to 41 months in prison for accessing a publicly available URL and then releasing its content to the press. That’s four years in jail for going to a public URL.
Still, it does appear that the anonymous researcher did everything he could to make the botnet experiment seem benevolent, even going so far as leaving a ReadMe file on each host with an explanation of the project. The result he got was certainly quite impressive, and paints some interesting pictures of the Internet. For example, it’s striking how many IP ranges are allocated but unused. However, he did disclose just how he managed to get into so many hosts, which is a huge potential for mischief. (See Michael Kassner’s recent post for more perspective, “Is uncovering digital vulnerabilities doing more harm than good?“)
The way his scripts got into so many hosts is by using Telnet, and trying four username/password combinations: admin/admin, root/root, admin/(blank) and root/(blank). Any security pro, or in fact anyone using computers for any period of time, would know that these are terrible passwords. Even home routers come better secured than that these days. But apparently, there are quite a number of devices that used to come with these ridiculous defaults. And there are still 420,000 of them in use today.
The other scary thought is that all of this was achieved in only one day. From this paper, we learn that in order to scan all 3.6 billion addresses on the Internet, it would take 4,000 scanners just under a day to do it. That is a very fast time frame to achieve such an impressive botnet, and of course the complete list of exploitable sites is available in a torrent file he released of over 1 TB in size. Of course, one could imagine that with the release of such damning information, the owners of those wide-open hosts will be closing these holes. But if such old systems are still being used in an unsecured manner to this day, the chance that their owners will act now is slim. So don’t be surprised if bad guys all over the world are jumping onto this with both feet.
Finally, the paper also reveals that while doing this, the researcher encountered yet another botnet that was already established on some of these open hosts, and tried to compete with it. This is a case of good guys versus bad guys in an Old West style shoot out. But while this may give some ideas about vigilante justice, the authorities have always been very clear that breaking the law like that, even if it’s for a good intention, is not okay. Even if you know someone is infected by malware, going on their system and removing that malware without their consent can cause you a lot of problems.
For now, it doesn’t appear like this new paper has led to an increase in malware propagation. Trend Micro runs a botnet activity scanner which shows how active these cyber criminals are, and so far botnet activity seems pretty stable, but that could eventually change. Of course the fact that a lot of hosts out there are vulnerable is not a new idea. For example, last year at DefCon a hacker scanned the entire net in 20 days without resorting to this sort of technique, and he came to a very similar conclusion — that 450,000 hosts were vulnerable. You also don’t need to be a DefCon hacker to do this. The Shodan project offers information on millions of hosts for free to everyone, all nicely categorized where some of the most used public searches are things like webcam, scada, default password, and Snom VOIP phones with no authentication. I’ll let you imagine why that is.
So what does this all mean for us? It’s just another confirmation of how easy and fast it can be to find vulnerabilities online. If the entire Internet can be scanned and mapped inside of a day, then this simply illustrates how critical it is to do your updates on a constant basis, and not leave any security hole exposed for any period of time. Quite often, hours is plenty of time for someone out there to detect your vulnerability. The Internet is still the Old West for these types of things, and only eternal vigilance will help keep us safe.