[AusNOG] Fwd: Re: Analysis of the Carna Botnet (Internet Census 2012)

Tim March march.tim at gmail.com
Wed May 29 12:35:06 EST 2013


This was meant for the list...


T.

-------- Original Message --------
Subject: Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)
Date: Wed, 29 May 2013 12:34:08 +1000
From: Tim March <march.tim at gmail.com>
To: Pinkerton, Eric <Eric.Pinkerton at baesystemsdetica.com>


Hahahah...

I'm not sure how much it's been raised in the existing coverage, but
there's also a serious privacy issue here -

Basically all of these CPE devices store credential pairs in clear text.
Their storage implementations are, in fact, so crappy that if you log in
to most DSL CPE, hit the PPPoE/Whatever configuration page and 'show
page source' you'll get the User/Pass pair echo'd back in clear text.

I'm pretty certain this includes the Thomson SpeedTouch devices on the
end on many BigPond links. Assuming there's a large subset of those
connected with weak Telnet configurations, as is implied, it would be
trivial to harvest those user credentials en masse.

Given account holder names and billing details are then available via
the portal this escalates to a large scale PII leak.

The security community has been aware of this for years (I actually
wrote one of the well known Cisco telnet scanning and exploitation tools
back in the 90's) but it's largely been ignored by the carriers. Now
that someone is beating the drum I'll be watching pretty closely to see
what they do about it.




T

On 29/05/13 12:09 PM, Pinkerton, Eric wrote:
> What's that dear? - there is a man from Teepee G on the phone? - he says our router has been running tennis net demons  and we have defaulted on our credentials dear? He wants us upgrade our formware dear?
> Sounds like a scam dear, just hang up!
>
> It is better to know nothing and do nothing, than it is to know something and do nothing...
>
> -----Original Message-----
> From: ausnog-bounces at lists.ausnog.net [mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Tim March
> Sent: Wednesday, 29 May 2013 11:53 AM
> To: ausnog at lists.ausnog.net
> Subject: Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)
>
>
> Yeah, I was literally just sitting here wondering how fast they'd react if you scripted up an "nmap | ncrack | nc `login && write erase`" on all the vulnerable hosts...
>
> "20,000 of your customers just went offline and need manual intervention to re-establish their service. Good luck with that."
>
>
>
> T.
>
> On 29/05/13 11:43 AM, Jake Anderson wrote:
>> telnet someserver.tpg.com
>> ping tpgdns.tpg.com -f -l 1000 -p 436865636b204175736e6f67 -s 1450
>>
>> MUWHAHAHAHAH!
>> They may be a little less receptive to the idea of you being white hat
>> however ;->
>>
>> (for the lazy hex 43:68:65:63:6b:20:41:75:73:6e:6f:67 = "Check Ausnog"
>> in the ascii realm)
>>
>> On 29/05/13 11:05, Parth Shukla wrote:
>>>
>>> Hey all,
>>>
>>> I am still looking for contacts for: TPG, Optus and iiNet!
>>>
>>> Someone did kindly forward my email to iiNet security team so I'll
>>> wait a day or two more to hear from them still...
>>>
>>> Anyone? Anything?!
>>>
>>> Cheers,
>>>
>>> Parth
>>>
>>> *Parth Shukla*|**Information Security Analyst
>>>
>>> AusCERT | Australia's premier computer emergency response team
>>>
>>> The University of Queensland | Brisbane QLD 4072 | Australia
>>>
>>> t: (07) 334 64537 |e: pparth at auscert.org.au
>>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>>> <http://www.auscert.org.au/>
>>>
>>> Save a tree. Don't print this e-mail unless it's really necessary
>>>
>>> *From:*Parth Shukla [mailto:pparth at auscert.org.au]
>>> *Sent:* Tuesday, 28 May 2013 12:39 PM
>>> *To:* ausnog at lists.ausnog.net
>>> *Subject:* Re: Analysis of the Carna Botnet (Internet Census 2012)
>>>
>>> Hi All,
>>>
>>> I'm hoping most of you have had a chance to at least have a quick look
>>> at my presentation by now.
>>>
>>> I'm now after technical contacts for three of the four most prominent
>>> Telco's that are present in the Australian data (slide 44 of my
>>> presentation). I am hoping to work with someone fairly technical in
>>> helping deal with the problem of vulnerable devices through default
>>> logins on telnet on their infrastructure.
>>>
>>> I'm after (generic and/or non-generic) technical and security focused
>>> contact details for:*TPG, Optus and iiNet*.
>>>
>>> The IP ranges for these three and Telstra represent 75% of compromised
>>> devices in Australia. I already have generic email for Telstra which
>>> I'll use but if someone here form Telstra wants to contact me directly
>>> please feel free.
>>>
>>> Could someone from these three please contact me off-list? If someone
>>> has good contacts in any of them, could you either a) forward my email
>>> to them asking them to contact me or b) email me their contact details
>>> off-list?
>>>
>>> I will be providing them with the part of the data that is relevant to
>>> their network.
>>>
>>> Cheers,
>>>
>>> Parth
>>>
>>> *Parth Shukla*|**Information Security Analyst
>>>
>>> AusCERT | Australia's premier computer emergency response team
>>>
>>> The University of Queensland | Brisbane QLD 4072 | Australia
>>>
>>> t: (07) 334 64537 |e: pparth at auscert.org.au
>>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>>> <http://www.auscert.org.au/>
>>>
>>> Save a tree. Don't print this e-mail unless it's really necessary
>>>
>>> *From:*Parth Shukla [mailto:pparth at auscert.org.au]
>>> *Sent:* Friday, 24 May 2013 7:45 PM
>>> *To:* ausnog at lists.ausnog.net
>>> *Subject:* Analysis of the Carna Botnet (Internet Census 2012)
>>>
>>> Dear All,
>>>
>>> I have made my presentation on the Carna Botnet freely available for
>>> view and/or download: http://bit.ly/auscertcarna
>>>
>>> This presentation is on the Compromised Devices of the Carna Botnet
>>> (also known as Internet Census 2012). This analysis is done from data
>>> obtained directly from the researcher. The data used is NOT publicly
>>> available for download.
>>>
>>> This was recently presented at the AusCERT Conference 2013. Info:
>>> http://conference.auscert.org.au/conf2013/speaker_Parth_Shukla.html
>>>
>>> This presentation is freely available for viewing and downloading as I
>>> wish to spread awareness of the issues raised as a result of the Carna
>>> Botnet.
>>>
>>> I am sending this email as I suspect many of you will find the
>>> contents of this presentation interesting. Apologies to those who are
>>> subscribed to multiple mailing lists and are receiving this email
>>> multiple times as a result. Please forward this onto any mailing list
>>> or any individual who you think may appreciate the contents of the
>>> presentation.
>>>
>>> Regards,
>>>
>>> Parth
>>>
>>> *Parth Shukla*|**Information Security Analyst
>>>
>>> AusCERT | Australia's premier computer emergency response team
>>>
>>> The University of Queensland | Brisbane QLD 4072 | Australia
>>>
>>> t: (07) 334 64537 |e: pparth at auscert.org.au
>>> <mailto:pparth at auscert.org.au>w: www.auscert.org.au
>>> <http://www.auscert.org.au/>
>>>
>>> Save a tree. Don't print this e-mail unless it's really necessary
>>>
>>>
>>>
>>> _______________________________________________
>>> AusNOG mailing list
>>> AusNOG at lists.ausnog.net
>>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
>>
>>
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>





More information about the AusNOG mailing list