[AusNOG] Analysis of the Carna Botnet (Internet Census 2012)

Pinkerton, Eric Eric.Pinkerton at baesystemsdetica.com
Wed May 29 12:09:57 EST 2013


What's that dear? - there is a man from Teepee G on the phone? - he says our router has been running tennis net demons  and we have defaulted on our credentials dear? He wants us upgrade our formware dear?
Sounds like a scam dear, just hang up!

It is better to know nothing and do nothing, than it is to know something and do nothing...

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Tim March
Sent: Wednesday, 29 May 2013 11:53 AM
To: ausnog at lists.ausnog.net
Subject: Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)


Yeah, I was literally just sitting here wondering how fast they'd react if you scripted up an "nmap | ncrack | nc `login && write erase`" on all the vulnerable hosts...

"20,000 of your customers just went offline and need manual intervention to re-establish their service. Good luck with that."



T.

On 29/05/13 11:43 AM, Jake Anderson wrote:
> telnet someserver.tpg.com
> ping tpgdns.tpg.com -f -l 1000 -p 436865636b204175736e6f67 -s 1450
>
> MUWHAHAHAHAH!
> They may be a little less receptive to the idea of you being white hat
> however ;->
>
> (for the lazy hex 43:68:65:63:6b:20:41:75:73:6e:6f:67 = "Check Ausnog"
> in the ascii realm)
>
> On 29/05/13 11:05, Parth Shukla wrote:
>>
>> Hey all,
>>
>> I am still looking for contacts for: TPG, Optus and iiNet!
>>
>> Someone did kindly forward my email to iiNet security team so I'll
>> wait a day or two more to hear from them still...
>>
>> Anyone? Anything?!
>>
>> Cheers,
>>
>> Parth
>>
>> *Parth Shukla*|**Information Security Analyst
>>
>> AusCERT | Australia's premier computer emergency response team
>>
>> The University of Queensland | Brisbane QLD 4072 | Australia
>>
>> t: (07) 334 64537 |e: pparth at auscert.org.au
>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>> <http://www.auscert.org.au/>
>>
>> Save a tree. Don't print this e-mail unless it's really necessary
>>
>> *From:*Parth Shukla [mailto:pparth at auscert.org.au]
>> *Sent:* Tuesday, 28 May 2013 12:39 PM
>> *To:* ausnog at lists.ausnog.net
>> *Subject:* Re: Analysis of the Carna Botnet (Internet Census 2012)
>>
>> Hi All,
>>
>> I'm hoping most of you have had a chance to at least have a quick look
>> at my presentation by now.
>>
>> I'm now after technical contacts for three of the four most prominent
>> Telco's that are present in the Australian data (slide 44 of my
>> presentation). I am hoping to work with someone fairly technical in
>> helping deal with the problem of vulnerable devices through default
>> logins on telnet on their infrastructure.
>>
>> I'm after (generic and/or non-generic) technical and security focused
>> contact details for:*TPG, Optus and iiNet*.
>>
>> The IP ranges for these three and Telstra represent 75% of compromised
>> devices in Australia. I already have generic email for Telstra which
>> I'll use but if someone here form Telstra wants to contact me directly
>> please feel free.
>>
>> Could someone from these three please contact me off-list? If someone
>> has good contacts in any of them, could you either a) forward my email
>> to them asking them to contact me or b) email me their contact details
>> off-list?
>>
>> I will be providing them with the part of the data that is relevant to
>> their network.
>>
>> Cheers,
>>
>> Parth
>>
>> *Parth Shukla*|**Information Security Analyst
>>
>> AusCERT | Australia's premier computer emergency response team
>>
>> The University of Queensland | Brisbane QLD 4072 | Australia
>>
>> t: (07) 334 64537 |e: pparth at auscert.org.au
>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>> <http://www.auscert.org.au/>
>>
>> Save a tree. Don't print this e-mail unless it's really necessary
>>
>> *From:*Parth Shukla [mailto:pparth at auscert.org.au]
>> *Sent:* Friday, 24 May 2013 7:45 PM
>> *To:* ausnog at lists.ausnog.net
>> *Subject:* Analysis of the Carna Botnet (Internet Census 2012)
>>
>> Dear All,
>>
>> I have made my presentation on the Carna Botnet freely available for
>> view and/or download: http://bit.ly/auscertcarna
>>
>> This presentation is on the Compromised Devices of the Carna Botnet
>> (also known as Internet Census 2012). This analysis is done from data
>> obtained directly from the researcher. The data used is NOT publicly
>> available for download.
>>
>> This was recently presented at the AusCERT Conference 2013. Info:
>> http://conference.auscert.org.au/conf2013/speaker_Parth_Shukla.html
>>
>> This presentation is freely available for viewing and downloading as I
>> wish to spread awareness of the issues raised as a result of the Carna
>> Botnet.
>>
>> I am sending this email as I suspect many of you will find the
>> contents of this presentation interesting. Apologies to those who are
>> subscribed to multiple mailing lists and are receiving this email
>> multiple times as a result. Please forward this onto any mailing list
>> or any individual who you think may appreciate the contents of the
>> presentation.
>>
>> Regards,
>>
>> Parth
>>
>> *Parth Shukla*|**Information Security Analyst
>>
>> AusCERT | Australia's premier computer emergency response team
>>
>> The University of Queensland | Brisbane QLD 4072 | Australia
>>
>> t: (07) 334 64537 |e: pparth at auscert.org.au
>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>> <http://www.auscert.org.au/>
>>
>> Save a tree. Don't print this e-mail unless it's really necessary
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog



More information about the AusNOG mailing list