News

Researcher Maps Internet Using Illegal Botnet Study

| 21 Mar 2013 05:45
image

According to an anonymous report, some of the internet's most frequent security risks include unsecured modems, routers, and printers.

When browsing the internet, it's always wise to take precautions to protect yourself from malware. Being careful which links you click and having complex passwords are great first steps, but no matter what you do, it seems like viruses keep finding ways to slip through the cracks. According to a anonymous report published online, a hacker has analyzed those cracks with a botnet that probed the entire internet for nine straight months. If the report is authentic, then it would be one of the most comprehensive surveys of internet security ever devised, while ironically being among its biggest breaches.

To his credit, the anonymous researcher seems to have used the botnet, named Carna, solely to contact IP addresses for propagation. "Our binaries were running with the lowest possible priority and included a watchdog that would stop the executable in case anything went wrong," the author writes. "We used the devices as a tool to work at the Internet scale. We did this in the least invasive way possible and with the maximum respect to the privacy of the regular device users."

According to the report, Carna attempted regular contact with 4 billion IP addresses from March to December 2012. Each time Carna encountered a device without account credentials (or used passwords like "root" or "admin"), it copied itself until the botnet was scanning from nearly 420,000 devices. The attached image shows Carna's client distribution during the study period, where it was primarily installed on devices in the US, Europe, and Asia. All told, Carna reportedly discovered a total of 1.3 billion IP address. From those, Carna received responses from 420 million, not counting another 36 million with open ports. Of the unsecured devices, most appeared to house operating systems never intended for internet communication, such as modems, routers, and printers.

"A lot of devices and services we have seen during our research should never be connected to the public Internet at all," Carna's creator writes. "As a rule of thumb, if you believe that 'nobody would connect [that] to the Internet, really nobody,' there are at least 1,000 people who did. Whenever you think 'that shouldn't be on the Internet but will probably be found a few times' it's there a few hundred thousand times. Like half a million printers, or a million Webcams, or devices that have root as a root password."

Thanks to the anonymous nature of the report, it's very difficult to verify Carna's findings without sifting through large portions of the data. That said, the results seem largely consistent with a smaller authorized study by HD Moore, especially in regards to botnet installations on embedded devices. Thankfully, the researcher seems to have good intentions, even repurposing Carna to delete hostile malware it encountered. Still, given how effectively Carna spread, it's probably a good idea to get that printer of yours behind a firewall when you have a chance.

Source: Internet Census 2012, via Ars Technica

RELATED CONTENT
Comments on