<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="Generator" content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:Verdana;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
{mso-style-priority:99;
mso-style-link:"Balloon Text Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:8.0pt;
font-family:"Tahoma","sans-serif";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
span.BalloonTextChar
{mso-style-name:"Balloon Text Char";
mso-style-priority:99;
mso-style-link:"Balloon Text";
font-family:"Tahoma","sans-serif";}
span.il
{mso-style-name:il;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang="EN-AU" link="blue" vlink="purple"><div class="WordSection1"><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">As odd as that may sound, I was helping a friend with a Cisco LAB at home with his CCNA. He was a residential customer of one of the 'large' ISPs mentioned below.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">He couldn't understand that when he would telnet to some 192.168/16 address that his 2600 router was suddenly in fact a 7206VXR with Gig interfaces and the hostname was 'TEST_BRAS'. He was most upset he couldn't configure thing as the manual had discussed because the interface names didn't match.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">I ended up contacting the ISP in question to warn them.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">----------</span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">C877#</span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">telnet </span><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">192.168.1.1</span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Trying 192.168.1.1 ... Open</span></p><p class="MsoNormal" style="background:white">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span></p><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">User Access Verification</span></p><p class="MsoNormal" style="background:white">
<span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span></p><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Username: cisco</span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Password:</span></p><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222"> </span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">TEST_BRAS>en</span></p><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Password:</span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">TEST_BRAS#</span></p><p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">TEST_BRAS#sh ver</span></p>
<p class="MsoNormal" style="background:white"><span style="font-size:10.0pt;font-family:"Arial","sans-serif";color:#222222">Cisco IOS Software, 7200 Software (C7200-JS-M), Version 12.2(31)SB16, RELEASE SOFTWARE (fc2)</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">etc etc ....</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">--------</span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Needless to say he was disappointed when I told him his routing was wrong (poor guy) and that his router was certainly not a 7206 with Ge's. ;) He thought his ebay CCNA lab router was a special. Turns out someone else was 'special'.</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Good times.</span></p>
<div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">-Ryan</span></p>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p>
</div><p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d"> </span></p><div><div style="border:none;border-top:solid #b5c4df 1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span lang="EN-US" style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> <a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a> [mailto:<a href="mailto:ausnog-bounces@lists.ausnog.net">ausnog-bounces@lists.ausnog.net</a>] <b>On Behalf Of </b>PRK<br>
<b>Sent:</b> Wednesday, 29 May 2013 12:02 PM<br><b>To:</b> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br><b>Subject:</b> Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)</span></p>
</div></div><p class="MsoNormal"> </p><p><span style="font-family:"Verdana","sans-serif"">You're assuming it's the ISP's infrastructure with default credentials, rather than the ISP's customer's CPE?</span></p>
<p><span style="font-family:"Verdana","sans-serif"">prk.</span></p><p><span style="font-family:"Verdana","sans-serif"">On 2013-05-29 11:43, Jake Anderson wrote:</span></p><blockquote style="border:none;border-left:solid #1010ff 1.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt">
<div><p class="MsoNormal"><span style="font-family:"Verdana","sans-serif"">telnet <a href="http://someserver.tpg.com">someserver.tpg.com</a><br>ping <a href="http://tpgdns.tpg.com">tpgdns.tpg.com</a> -f -l 1000 -p 436865636b204175736e6f67 -s 1450<br>
<br>MUWHAHAHAHAH!<br>They may be a little less receptive to the idea of you being white hat however ;-><br><br>(for the lazy hex 43:68:65:63:6b:20:41:75:73:6e:6f:67 = "Check Ausnog" in the ascii realm)<br><br>
On 29/05/13 11:05, Parth Shukla wrote:</span></p></div><blockquote style="border:none;border-left:solid #1010ff 1.5pt;padding:0cm 0cm 0cm 4.0pt;margin-left:3.75pt;margin-top:5.0pt;margin-bottom:5.0pt"><div><p class="MsoNormal" style>
<span style="color:#1f497d">Hey all,</span></p><p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">I am still looking for contacts for: TPG, Optus and iiNet! </span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">Someone did kindly forward my email to iiNet security team so I’ll wait a day or two more to hear from them still…</span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">Anyone? Anything?!</span></p><p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style>
<span style="color:#1f497d">Cheers,</span></p><p class="MsoNormal" style><span style="color:#1f497d">Parth</span></p><p class="MsoNormal" style><span style="color:#1f497d"> </span></p><div><p class="MsoNormal" style><strong><span style="color:#002060">Parth Shukla</span></strong><span style="color:#00b050"> </span><span style="color:#002060">|Information Security Analyst</span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">AusCERT | Australia’s premier computer emergency response team </span></p><p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">The University of Queensland | Brisbane QLD 4072 | Australia</span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">t: (07) 334 64537 |e: </span><span style="font-size:9.0pt;color:#1f497d"><a href="mailto:pparth@auscert.org.au">pparth@auscert.org.au</a></span><span style="font-size:9.0pt;color:gray"> w: <a href="http://www.auscert.org.au/">www.auscert.org.au</a> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray"> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:green">Save a tree. Don't print this e-mail unless it's really necessary </span></p></div><p class="MsoNormal" style><span style="color:#1f497d"> </span></p>
<div><div><p class="MsoNormal" style><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Parth Shukla [<a href="mailto:pparth@auscert.org.au">mailto:pparth@auscert.org.au</a>] <br>
<strong><span style="font-family:"Tahoma","sans-serif"">Sent:</span></strong> Tuesday, 28 May 2013 12:39 PM<br><strong><span style="font-family:"Tahoma","sans-serif"">To:</span></strong> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<strong><span style="font-family:"Tahoma","sans-serif"">Subject:</span></strong> Re: Analysis of the Carna Botnet (Internet Census 2012)</span></p></div></div><p class="MsoNormal" style> </p><p class="MsoNormal" style>
<span style="color:#1f497d">Hi All,</span></p><p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">I’m hoping most of you have had a chance to at least have a quick look at my presentation by now. </span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">I’m now after technical contacts for three of the four most prominent Telco’s that are present in the Australian data (slide 44 of my presentation). I am hoping to work with someone fairly technical in helping deal with the problem of vulnerable devices through default logins on telnet on their infrastructure.</span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">I’m after (generic and/or non-generic) technical and security focused contact details for:<strong> TPG, Optus and iiNet</strong>. </span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">The IP ranges for these three and Telstra represent 75% of compromised devices in Australia. I already have generic email for Telstra which I’ll use but if someone here form Telstra wants to contact me directly please feel free.</span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">Could someone from these three please contact me off-list? If someone has good contacts in any of them, could you either a) forward my email to them asking them to contact me or b) email me their contact details off-list?</span></p>
<p class="MsoNormal" style><span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">I will be providing them with the part of the data that is relevant to their network.</span></p><p class="MsoNormal" style>
<span style="color:#1f497d"> </span></p><p class="MsoNormal" style><span style="color:#1f497d">Cheers,</span></p><p class="MsoNormal" style><span style="color:#1f497d">Parth</span></p><p class="MsoNormal" style><span style="color:#1f497d"> </span></p>
<div><p class="MsoNormal" style><strong><span style="color:#002060">Parth Shukla</span></strong><span style="color:#00b050"> </span><span style="color:#002060">|Information Security Analyst</span></p><p class="MsoNormal" style>
<span style="font-size:9.0pt;color:gray">AusCERT | Australia’s premier computer emergency response team </span></p><p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">The University of Queensland | Brisbane QLD 4072 | Australia</span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">t: (07) 334 64537 |e: </span><span style="font-size:9.0pt;color:#1f497d"><a href="mailto:pparth@auscert.org.au">pparth@auscert.org.au</a></span><span style="font-size:9.0pt;color:gray"> w: <a href="http://www.auscert.org.au/">www.auscert.org.au</a> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray"> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:green">Save a tree. Don't print this e-mail unless it's really necessary </span></p></div><p class="MsoNormal" style><span style="color:#1f497d"> </span></p>
<div><div><p class="MsoNormal" style><strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></strong><span style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> Parth Shukla [<a href="mailto:pparth@auscert.org.au">mailto:pparth@auscert.org.au</a>] <br>
<strong><span style="font-family:"Tahoma","sans-serif"">Sent:</span></strong> Friday, 24 May 2013 7:45 PM<br><strong><span style="font-family:"Tahoma","sans-serif"">To:</span></strong> <a href="mailto:ausnog@lists.ausnog.net">ausnog@lists.ausnog.net</a><br>
<strong><span style="font-family:"Tahoma","sans-serif"">Subject:</span></strong> Analysis of the Carna Botnet (Internet Census 2012)</span></p></div></div><p class="MsoNormal" style> </p><p class="MsoNormal" style>
Dear All,</p><p class="MsoNormal" style> </p><p class="MsoNormal" style>I have made my presentation on the Carna Botnet freely available for view and/or download: <a href="http://bit.ly/auscertcarna">http://bit.ly/auscertcarna</a></p>
<p class="MsoNormal" style> </p><p class="MsoNormal" style>This presentation is on the Compromised Devices of the Carna Botnet (also known as Internet Census 2012). This analysis is done from data obtained directly from the researcher. The data used is NOT publicly available for download.</p>
<p class="MsoNormal" style> </p><p class="MsoNormal" style>This was recently presented at the AusCERT Conference 2013. Info: <a href="http://conference.auscert.org.au/conf2013/speaker_Parth_Shukla.html">http://conference.auscert.org.au/conf2013/speaker_Parth_Shukla.html</a></p>
<p class="MsoNormal" style> </p><p class="MsoNormal" style>This presentation is freely available for viewing and downloading as I wish to spread awareness of the issues raised as a result of the Carna Botnet.</p><p class="MsoNormal" style>
</p><p class="MsoNormal" style>I am sending this email as I suspect many of you will find the contents of this presentation interesting. Apologies to those who are subscribed to multiple mailing lists and are receiving this email multiple times as a result. Please forward this onto any mailing list or any individual who you think may appreciate the contents of the presentation.</p>
<p class="MsoNormal" style> </p><p class="MsoNormal" style>Regards,</p><p class="MsoNormal" style>Parth</p><p class="MsoNormal" style> </p><p class="MsoNormal" style><strong><span style="color:#002060">Parth Shukla</span></strong><span style="color:#00b050"> </span><span style="color:#002060">|Information Security Analyst</span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">AusCERT | Australia’s premier computer emergency response team </span></p><p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">The University of Queensland | Brisbane QLD 4072 | Australia</span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray">t: (07) 334 64537 |e: </span><span style="font-size:9.0pt;color:#1f497d"><a href="mailto:pparth@auscert.org.au">pparth@auscert.org.au</a></span><span style="font-size:9.0pt;color:gray"> w: <a href="http://www.auscert.org.au/">www.auscert.org.au</a> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:gray"> </span></p>
<p class="MsoNormal" style><span style="font-size:9.0pt;color:green">Save a tree. Don't print this e-mail unless it's really necessary </span></p><p class="MsoNormal" style> </p></div><p class="MsoNormal"><span style="font-family:"Verdana","sans-serif""><br>
<br></span></p><pre>_______________________________________________</pre><pre>AusNOG mailing list</pre><pre><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a></pre><pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a></pre>
</blockquote><p class="MsoNormal"><span style="font-family:"Verdana","sans-serif""><br><br></span></p><pre>_______________________________________________</pre><pre>AusNOG mailing list</pre><pre><a href="mailto:AusNOG@lists.ausnog.net">AusNOG@lists.ausnog.net</a></pre>
<pre><a href="http://lists.ausnog.net/mailman/listinfo/ausnog">http://lists.ausnog.net/mailman/listinfo/ausnog</a></pre></blockquote><div><p class="MsoNormal"><span style="font-family:"Verdana","sans-serif""> </span></p>
</div></div></body></html>