STE WILLIAMS

A 36-year-old from South Croydon, London, has been arrested by cops investigating allegations of fraud involving the bank-account-raiding Tilon Trojan.

The as-yet-unnamed man is suspected of conspiring to defraud and breaking drug laws. He was collared by officers from the Police Central eCrime Unit (PCeU) and the Serious Organised Crime Agency (SOCA).

Investigators seized computers and digital media from the suspect’s home. The gear will be examined by computer forensic experts. The cuffed bloke was taken to a south London cop shop for questioning on Tuesday.

Police said the arrest related to an ongoing probe into the distribution of the Tilon Trojan, which is a strain of man-in-the-browser (MitB) malware. The software nasty works by intercepting data typed into web pages in Microsoft Internet Explorer, Mozilla Firefox, Google Chrome, and perhaps other browsers, and sending any sensitive information – such as bank account passwords – to miscreants’ central command servers.

The Trojan was first detected by Israeli security firm Trusteer in July 2012. The malware is related to the earlier Silon malware. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/21/tilon_banking_trojan_arrest/

Cyber-espionage crews have been targeting the lucrative medical and life science industries using custom malware and spear-phishing, according to new research.

According to a current US counterintelligence report which it delivered to US Congress, healthcare services and medical equipment are expected to be two of the five fastest-growing international investment sectors, with the US among the leading nations worldwide. Multi-billion dollar lifesaving research is being put at risk as cyberspies attempt to crack life science firms’ security.

The counterintelligence gov bods said the massive research and development costs for new drugs and techniques as well as the growing need for medical care by ageing populations in China, Russia, and elsewhere were creating a fertile breeding ground for industrial espionage.

Security intelligence firm Cyber Squared said that at least three distinct groups have targeted the industry for more than two years since 2010. It has posted a blog post exposing some of the techniques and tradecraft of cyberspies targeting the life science sector. A single drug can cost up to $1bn to develop, the security bods note.

In the first attack discussed by Cyber Squared, a China-based group used a zero-day Internet Explorer (IE) zero day exploit in October 2012 to get at the life sciences firms assets. Three malicious websites hosting these exploits were established and subsequently used within targeted spear-phishing campaigns or within targeted drive-by download attacks, said the researchers.

“The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research,” a blog post by Cyber Squared explains.

When RATs, Trojans and zombies attack

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a drive-by attack site that used a malicious iFrame redirecting users to the IE zero day exploit. BioDuro is Beijing-based life science research firm. Compromised machines were subsequently infected with a variant of Destroy Remote Access Trojan (RAT), which is also known as Thoper-B or Sogu.

The firm also cited a second attack by a cyberspying menace, first reported on by security tools firm AlienVault in July 2012. It used a variant of the Sykipot malware to create an extensive botnet. The zombie network featured more than 30 additional command-and-control domains and three email addressees, analysts from Cyber Squared discovered. After analysing the infrastructure used by the perpetrators of Sykipot, Cyber Squared concluded that the botmasters behind the network were targeting the medical industry.

One of the 30 domains registered by the Sykipot bad guys is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.

Another Sykipot command-and-control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT), a southern California-based charitable organisation, said the researchers.

A third attack last summer featured a Chinese hacking group (also known as “VOHO”) using a drive-by download campaign. The attack was targeted against victims within business and local governments in Washington, DC and Boston, Massachusetts, as well as organisations involved the development and promotion of the democratic process in non-permissive regions.

The attackers used the Gh0st RAT to control compromised machines.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical website “www.wsdhealty[.]com” to host malicious software that exploited Java and Microsoft vulnerabilities.

Cyber Squared was able to identify that the attackers also abused the domain “nih-gov.darktech[.]org” run by the National Institute of Health (NIH) as part of the command-and-control infrastructure of the cyber-espionage operation.

“The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real,” Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst. “The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.”

Organisations within the sector need to wake up to the threat and take steps to guard against intellectual property loss and disruptions to business operations, Barger warned.

The Obama administration’s strategy for combating the theft of US trade secrets, unveiled last month, listed industrial espionage as one of sectors likely to experience fast growth, and cited healthcare, pharmaceuticals and clean energy as prime targets for the web spies.

However, more attention has arguably been paid to attempts to steal the blueprints of information and communications technology; military technologies (particularly marine systems and drones – unmanned aerial vehicles); other aerospace technologies; and information about natural resources (including oil and gas). Cyber Squared’s report is therefore noteworthy in highlighting an under-reported risk.

All of the Advanced Persistent Threat examples put together by Cyber Squared were compiled and shared under the “Medical Threats Blog” within the ThreatConnect community. ThreatConnect.com is a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers as well as medical research and life sciences organisations. The exchange – run by Cyber Squared and akin to a neighbourhood watch scheme – collects, analyses and shares threat intelligence. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/21/medical_cyber_espionage/

Apple’s recent release of iOS 6.1.3, complete with fix for the weird keypress sequence that allowed access to and export of iPhone address books, seems to have been just a little bit futile after a new bug with the same effects emerged.

The source of the new method is someone or something called Vbarraquito, whose youTube channel offers the video below demonstrating the new magic unlock spell.

The new iPhone unlocking spell involves turning off Siri (where present), messing around with Voice Control, ejecting the SIM and cooking a potion based on unicorn blood. Once the planets align, the iPhone can then make calls without the passcode being entered and the address book is accessible.

Watch Video

Vulture South’s fat-fingered staff have been unable to replicate this method, but several others claim to have done so.

Apple will doubtless be more than a little embarrassed at this new gaffe, which further damages its reputation for both security and attention to detail.

It’s safe to assume Apple will soon offer a counter-spell in the form of an iOS update, this time paying special attention to all manner of keypress combinations. Apple’s also due to start talking up the successor to iOS 6, probably at its worldwide developer conference tipped for June. If a slide or two in the iOS 6+x presentation doesn’t make mention of enhanced security, colour us surprised.

As to the question of whether this latest spell will dent iPhone sales, The Reg suggests readers seeking an answer use our search facility to look for pieces on “antennagate” and “Apple Maps”, then consider Apple’s share price and Samsung/Android’s growing market share. Coincidence? You be the judge. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/21/another_magic_iphone_unlock_spell/

Cisco has issued a security advisory revealing that it mis-coded the implementation of a new password hashing algorithm.

Its “Type 4” password implementation was supposed to salt passwords and then run them through 1,000 iterations of SHA-256 for storage, following the Password-Based Key Derivation Function (PBKDF) version 2 described in RFC 2898.

In what Cisco calls an “implementation issue”, its engineers forgot to salt passwords, and set the SHA-256 iteration count to 1. As its advisory states: “This approach causes a Type 4 password to be less resilient to brute-force attacks than a Type 5 password of equivalent complexity.”

The problem was discovered by Philipp Schmidt and Jens Steube from the Hashcat project. Because of the weak protection, they were able to decode a hash that had been posted to inetpro.org, and as noted by Ars, enough information has leaked to permit “millions” of hashes to be cracked in hours, if anyone gets their hands on the stored hashes.

The vulnerability affects kit running Cisco IOS and Cisco IOS XE releases based on the Cisco IOS 15 code base, the advisory says, along with instructions for determining whether a user is running vulnerable code.

Adding insult to injury, the implementation of the broken Type 4 password also disabled the Type 5 hashing it replaced. From the advisory:

“A device running a Cisco IOS or IOS XE release with support for Type 4 passwords lost the capability to create a Type 5 password from a user-provided plaintext password.

“Backward compatibility problems may arise when downgrading from a device running a Cisco IOS or IOS XE release with Type 4 password support and Type 4 passwords configured to a Cisco IOS or Cisco IOS XE release that does not support Type 4 passwords. Depending on the specific device configuration, the administrator may not be able to log in to the device or to change into privileged EXEC mode, requiring a password recovery process to be performed.”

Cisco says a new password type will be introduced. “This will allow Cisco customers to gradually migrate to the new password type, while allowing them to use the existing syntax to preserve backward compatibility. The exact syntax for the new commands is yet to be determined.” ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/cisco_introduces_weak_passwords/

Vulnerable internet-facing industrial systems controlling crucial equipment used by power plants, airports, factories and other critical systems are subjected to sustained attacks within hours of appearing online, according to new honeypot-based research by Trend Micro.

The security weaknesses of SCADA (supervisory control and data acquisition) industrial control systems have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy attacks.

Trend Micro threat researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up a internet-facing honeypot and record attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.

The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots.

All three were internet-facing and used three different static IP addresses in different subnets scattered across the US. One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system. The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory.

All three honeypots included traditional vulnerabilities found across the same or similar systems. Steps were taken to make sure the honeypots were easily discovered. The sites were optimised for searches and published on Google.

The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which – as security strategist Josh Corman points out – can be run without any detailed knowledge or skill.

The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorised access to secure areas of sites, attempted modifications of controllers, or any attack against a protocol specific to SCADA devices, such as Modbus/TCP.

They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and analysis of server log files were used to monitor and record the attacks the honeypots attracted.

Less than 24 hours later…

The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? (PDF).

It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing. The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.” All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same netback.

The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment. Other hacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information.

Four samples were collected over the four-week testing period, two of which have not been seen in the wild. Trend Micro is currently analysing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.

A third of attacks against the industrial control system honeypot (35 per cent) originated in China but one in five (19 per cent) originated in the US. Security researchers also found that a surprisingly high 12 per cent of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.

Next page: These systems used to be run from a single computer next to a conveyor belt

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/scada_honeypot_research/

A NATO-backed manual that attempts to pull together all the bits of international law regarding the “hostile use” of the internet has prohibited attacks against civilian targets.

According to the legal experts who helped draw up the manual, attacks in cyberspace should avoid anything that might affect civilian targets such as hospitals, dams and nuclear power plants.

The manual was compiled by an independent group of legal scholars, lawyers, academics and technical experts who gathered up all the existing relevant norms in existing international law as a guide for legal advisers to military and state bodies, law students, academics and law firms, although the manual itself is not an official document and does not reflect NATO doctrine or policy. Nevertheless, it’s expected to be widely read in government circles, as NATO’s CCDoE said at the time of the launch.

A draft copy of the Tallinn Manual on the International Law Applicable to Cyber Warfare came out last September but the issue has hit the news again as result of security conferences in London late last week and Washington, DC on 28 March that featured panel discussions on the weighty tome, which runs to 215 pages.

The manual looks at laws pertaining to armed conflict and the use of force and how they could be extended to regulate conflicts between nation states that have spilled over onto the internet. Technical experts advised on the three-year process of putting together the mega-guide, which featured observers from the International Committee of the Red Cross, United States Cyber Command and NATO’s Allied Command.

The project was backed by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, but the compilers and experts worked in their personal capacity.

The prospective users of the Tallinn Manual are government legal advisers to Ministries of Defence, Foreign Affairs, Interior and Justice; legal advisers to military forces and intelligence agencies; academics and graduate students in law, government and security studies; general counsel for defence industry; think tanks; consultancies; and law firms. The Tallinn Manual is designed to be accessible to lawyers with basic knowledge of international law.

The draft manual can be viewed at the CCDoE website here At the time of publication, it was unavailable for viewing.

When two crews go to war…

The manual covers 95 “rules”. Among those that caught our eye were a discussion on attribution (rule 7) that “the mere fact that an operation has been launched or otherwise originates from a government cyber infrastructure is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with that operation”.

Another interesting discussion on self-defence in the face of hacker attack (rule 9), posits that: “A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state”. Rule 13, meanwhile, says: “A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects.”

The legal experts were split over whether an attack that crashed the New York Stock Exchange, for example, justified a response that could be legally defended as self-defence.

But they did agree on rule 14, that any response ought to be “necessary and proportionate”. So, “you hacked us, we’ll bomb you”, isn’t going to wash with international legal experts who want to restrict reprisals to acts of self-defence or actions authorised by the UN Security Council. However the right of self-defence may be exercised collectively, as per the coalition forced to expel Saddam Hussein’s Iraqi troops from Kuwait in 1991, for example.

The experts went on to say that the law on armed conflict didn’t apply to highly publicised DDoS attacks on Estonia in 2007 but did apply to cyber skirmishes that occurred between Georgia and Russia a year later because these occurred during the course of a ground war (a bullet-and-bombs armed conflict).

Next page: What kind of uniform do you wear in cyberspace?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/cyberwar_rules/

Banks and TV stations in South Korea have been hit by a debilitating attack on their computer networks.

Three financial instituions – Shinhan, Nonghyup and Jeju – and two insurance firms as well as broadcasters KBS, MBC and YTN have either been partially or completely crippled by malware, it appears, according to South Korean news agency Yonhapnew.

PCs on the networks of TV stations crashed and couldn’t be restarted; some displayed an error message claiming that their boot records had been destroyed, as seen in news coverage here and here. Some reports suggest that images of skulls appeared on some computer screens. The attack started at 1400 local time today.

Telly programmes continue to be transmitted despite the problems. However internet banking and cash machines operated by Shinhan Bank are not functioning. South Korean ISP LG Uplus has also been hit by the assault. Government computer networks remain largely unaffected, according to an official from the National Computing and Information Agency (NCIA). However some important websites, including KCNA and Air Koryo, were rendered temporarily inaccessible.

The authorities are trying to identify the cause of the problem. Files named KBS.exe and MBC.exe, which began circulating last week, could be key components for distributing the disk-wiping malware that apparently brought down the networks. The situation remains confused but already thoughts are turning towards who could have launched the attack; North Korea is emerging as a prime suspect.

“We do not rule out the possibility of North Korea being involved, but it’s premature to say so,” South Korea’s Defence Ministry spokesman Kim Min-seok told the BBC.

Christopher Boyd, senior threat researcher at ThreatTrack Security, commented: “There have been numerous serious attacks on South Korean networks and systems over the last few years, from recent newspaper site defacements and the most recent network attacks to the so-called ‘Ten Days of Rain’ distributed denial-of-service [DDoS] attacks on multiple government sites and the United States Forces Korea in 2011.

“While it’s tempting to attribute these attacks to the North given the current state of play in the region, many attacks are not so easy to pin down: the ‘Ten Days of Rain’ used compromised machines inside South Korea to launch the DDoS attacks.

“In 2009 the JoongAng Daily claimed that a South Korean man allegedly purchased infected games in North Korea, only to take them back home and infect other gamers – using them to DDoS the website of the Incheon International Airport. Recent reports that North Korea itself claims to have been knocked offline by hackers does nothing to clarify the issue, and in this ‘tit-for-tat’ environment we should be wary of attributing any blame until the full facts emerge.”

Some Koreans spread screen grabs of a social-networking website on which a group calling itself the “Whois Team” claimed responsibility for the outages; some captured the crew’s boasts in a video uploaded to YouTube. However LG UPlus Corp, the ISP behind the social network, denied the existence of such pages on its website, Reuters reports.

The attack appears to be wide-ranging, coordinated and targeted at high-profile institutions in South Korea. The South Korean military cyberattack readiness level was raised from three to four on the five-tier system, The Guardian reports. Defence minister Kim Kwan-jin convened a meeting to discuss the attacks.

North Korea was blamed for two previous cyber-attacks against its southern neighbour, in 2009 and 2011, that targeted government agencies and banks. Last week North Korea’s official news agency KCNA blamed the US and its allies for computer hacking attacks against its networks. Political tensions on the Korean peninsular have been running high for weeks since recent rocket and nuclear tests by the North Koreans. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/south_korea_cyberattack/

Japanese mobile users are being warned not to download an Android app promising to allow them to see through clothes with the phone’s camera, as the malware hidden within will steal address book data and try to blackmail them to the tune of ¥29,000 (£202).

The app’s first manifestation is usually an SMS message appearing to come from a friend. That message recommends the recipient try the “Infrared X-Ray” app, Symantec researcher Joji Hamada wrote in a blog post.

If the Android user decides to follow the link and download the app, the victim’s contact details will be uploaded to a third party server so that similar text messages can be spammed out to their friends and family.

Some versions of the app merely end with a picture of a man giving the user the finger and the words “You Pervert!” displayed in Japanese.

However, Symantec warned that other variants attempt to extort money from the victim:

While the contact data is being stolen and sent to the malware author, the new variants also download and display registration details for a website hosting adult content. The app no longer attempts to turn the camera on like it did previously. Instead, it displays a splash screen for a second or two before displaying a message stating that registration has completed and the victim is asked pay 29,000 yen for the “service”.

SMS messages are then sent reminding the user of the payment details and threatening to tell their friends and family about the app if they don’t cough up the money.

The app removes itself from the launcher immediately after execution, in order to make it harder to uninstall, although it can be wiped in Applications, under Settings, Symantec said. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/japan_x_ray_infrared_android_scam/

A NATO-backed manual that attempts to pull together all the bits of international law regarding the “hostile use” of the internet has prohibited attacks against civilian targets.

According to the legal experts who helped draw up the manual, attacks in cyberspace should avoid anything that might affect civilian targets such as hospitals, dams and nuclear power plants.

The manual was compiled by an independent group of legal scholars, lawyers, academics and technical experts who gathered up all the existing relevant norms in existing international law as a guide for legal advisers to military and state bodies, law students, academics and law firms, although the manual itself is not an official document and does not reflect NATO doctrine or policy. Nevertheless, it’s expected to be widely read in government circles, as NATO’s CCDoE said at the time of the launch.

A draft copy of the Tallinn Manual on the International Law Applicable to Cyber Warfare came out last September but the issue has hit the news again as result of security conferences in London late last week and Washington, DC on 28 March that featured panel discussions on the weighty tome, which runs to 215 pages.

The manual looks at laws pertaining to armed conflict and the use of force and how they could be extended to regulate conflicts between nation states that have spilled over onto the internet. Technical experts advised on the three-year process of putting together the mega-guide, which featured observers from the International Committee of the Red Cross, United States Cyber Command and NATO’s Allied Command.

The project was backed by the NATO Cooperative Cyber Defence Centre of Excellence in Tallinn, Estonia, but the compilers and experts worked in their personal capacity.

The prospective users of the Tallinn Manual are government legal advisers to Ministries of Defence, Foreign Affairs, Interior and Justice; legal advisers to military forces and intelligence agencies; academics and graduate students in law, government and security studies; general counsel for defence industry; think tanks; consultancies; and law firms. The Tallinn Manual is designed to be accessible to lawyers with basic knowledge of international law.

The draft manual can be viewed at the CCDoE website here At the time of publication, it was unavailable for viewing.

When two crews go to war…

The manual covers 95 “rules”. Among those that caught our eye were a discussion on attribution (rule 7) that “the mere fact that an operation has been launched or otherwise originates from a government cyber infrastructure is not sufficient evidence for attributing the operation to that state but is an indication that the state in question is associated with that operation”.

Another interesting discussion on self-defence in the face of hacker attack (rule 9), posits that: “A state injured by an internationally wrongful act may resort to proportionate countermeasures, including cyber-countermeasures, against the responsible state”. Rule 13, meanwhile, says: “A state that is the target of a cyber operation that rises to the level of an armed attack may exercise its inherent right of self-defence. Whether a cyber operation constitutes an armed attack depends on its scale and effects.”

The legal experts were split over whether an attack that crashed the New York Stock Exchange, for example, justified a response that could be legally defended as self-defence.

But they did agree on rule 14, that any response ought to be “necessary and proportionate”. So, “you hacked us, we’ll bomb you”, isn’t going to wash with international legal experts who want to restrict reprisals to acts of self-defence or actions authorised by the UN Security Council. However the right of self-defence may be exercised collectively, as per the coalition forced to expel Saddam Hussein’s Iraqi troops from Kuwait in 1991, for example.

The experts went on to say that the law on armed conflict didn’t apply to highly publicised DDoS attacks on Estonia in 2007 but did apply to cyber skirmishes that occurred between Georgia and Russia a year later because these occurred during the course of a ground war (a bullet-and-bombs armed conflict).

Next page: What kind of uniform do you wear in cyberspace?

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/20/cyberwar_rules/

An anonymous researcher has taken an unorthodox approach to achieve the dream of mapping out the entire remaining IPv4 internet, and has broken enough laws around the world to make them liable for many thousands of years behind bars in doing so, if current sentencing policy prevails.

Getting the sheer numbers of IPv4 addresses involved would take a huge amount of scanners to make billions of pings. While noodling around with an Nmap scripting engine the researcher noticed a lot of virtually unsecured IPv4 devices – only requiring the admin/admin, root/root login, or either admin or root with the password field blank. What if these could be used as a temporary botnet to perform?

“I did not want to ask myself for the rest of my life how much fun it could have been or if the infrastructure I imagined in my head would have worked as expected,” the report “Internet Census 2012” states.

“I saw the chance to really work on an Internet scale, command hundred thousands of devices with a click of my mouse, portscan and map the whole Internet in a way nobody had done before, basically have fun with computers and the Internet in a way very few people ever will.”

The report states a 46 and 60 kb binary was written in C with two parts; a telnet scanner to try the login connection and propagate and then control code to assign scan ranges and feed the results back. A reboot of the infected system would wipe the binary completely and the code didn’t scan traffic running though the device or any intranet-connected systems.

The code was set to run as lowest possible priority in the infected device to avoid interference and included a watchdog to make sure normal operations of the host weren’t overloaded. It also carried a readme file with a description of the project and an email address for the owner, or law enforcement, to get in touch if it was discovered.

After releasing the code overnight the report’s writer found 420,000 suitable botnet endpoints, accounting for around a quarter of the total number of suitable IPv4 systems with enough CPU and RAM and which ran Linux. The botnet was able to spread quickly and efficiently just using the four login combinations and was soon reporting back in healthy numbers.

The Carna IPv4 botnet

“While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world,” Mark Bower, VP of product management at Voltage Security told El Reg.

“This is a great study which underlines the fact that once again exploitable weak links are abundant and ripe for compromise, even on embedded or industrial systems. While the researchers merely reported on security gaps, any attacker could quickly access these systems – maybe leading to downstream compromise of something much more valuable.”

The home spy

The vast majority of infected systems were consumer routers or set-top boxes but they also found Cisco and Juniper hardware, x86 equipment with crypto accelerator cards, industrial control systems, and physical door security systems.

“A lot of devices and services we have seen during our research should never be connected to the public Internet at all. As a rule of thumb, if you believe that ‘nobody would connect that to the Internet, really nobody’, there are at least 1000 people who did,” the report states.

“Whenever you think ‘that shouldn’t be on the Internet but will probably be found a few times’ it’s there a few hundred thousand times. Like half a million printers, or a Million Webcams, or devices that have root as a root password.”

The resultant botnet was used to build the botnet the report dubs Carna, named after the Roman goddess of physical health or door hinges, depending on which historical source you believe. But it soon found it was getting competition from a malicious botnet dubbed Aidra and the researcher adapted the binary to block this competitor where possible, but estimates it still has around 30,000 endpoints.

In all the project took nearly six months and the full scan was concluded by October last year. The report estimates that the remaining number of active IPv4 addresses is around 1.3 billion, out a total of around 4.3 billion. The complete scan data, all 9TB or it, is available for download, but not the botnet which created it.

“The actual research itself is noteworthy in that it is the most comprehensive Internet-wide scan. I’d like to see more projects of this kind, conducted legally, and sharing information about the real state of play on the internet,” said Mark Schloesser, security researcher at Rapid7 in an emailed statement.

“While the Internet Census 2012 provides interesting data, the way it was collated is highly illegal in most countries. Using insecure configurations and default passwords to gain access to remote devices and run code on them is unethical, and taking precautions to not interfere with any normal operation of the devices being used doesn’t make it OK,”

He has a point. Monday’s sentence of three years and five months in prison for Andrew Auernheimer, a member of the grey-hat hacking collective Goatse Security, after he used a server vulnerability to expose iPad user accounts is causing great concern to some in the security research industry.

The two situations aren’t exactly the same, but a strict interpretation of the law in both the US and elsewhere would make the Carna botnet used highly illegal and each node could be worth its own charge to an over-zealous prosecutor. No wonder the researcher in question wishes to remain anonymous. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2013/03/19/carna_botnet_ipv4_internet_map/