[AusNOG] Analysis of the Carna Botnet (Internet Census 2012)

Ryan Crouch ryan at apexn.com.au
Wed May 29 12:43:32 EST 2013


As odd as that may sound, I was helping a friend with a Cisco LAB at home
with his CCNA. He was a residential customer of one of the 'large' ISPs
mentioned below.



He couldn't understand that when he would telnet to some 192.168/16 address
that his 2600 router was suddenly in fact a 7206VXR with Gig interfaces and
the hostname was 'TEST_BRAS'. He was most upset he couldn't configure thing
as the manual had discussed because the interface names didn't match.



I ended up contacting the ISP in question to warn them.



----------

C877#telnet 192.168.1.1

Trying 192.168.1.1 ... Open





User Access Verification



Username: cisco

Password:



TEST_BRAS>en

Password:

TEST_BRAS#

TEST_BRAS#sh ver

Cisco IOS Software, 7200 Software (C7200-JS-M), Version 12.2(31)SB16,
RELEASE SOFTWARE (fc2)



etc etc ....

--------



Needless to say he was disappointed when I told him his routing was wrong
(poor guy) and that his router  was certainly not a 7206 with Ge's. ;) He
thought his ebay CCNA lab router was a special. Turns out someone else was
'special'.



Good times.



-Ryan







*From:* ausnog-bounces at lists.ausnog.net [mailto:
ausnog-bounces at lists.ausnog.net] *On Behalf Of *PRK
*Sent:* Wednesday, 29 May 2013 12:02 PM
*To:* ausnog at lists.ausnog.net
*Subject:* Re: [AusNOG] Analysis of the Carna Botnet (Internet Census 2012)



You're assuming it's the ISP's infrastructure with default credentials,
rather than the ISP's customer's CPE?

prk.

On 2013-05-29 11:43, Jake Anderson wrote:

telnet someserver.tpg.com
ping tpgdns.tpg.com -f -l 1000 -p 436865636b204175736e6f67 -s 1450

MUWHAHAHAHAH!
They may be a little less receptive to the idea of you being white hat
however ;->

(for the lazy hex 43:68:65:63:6b:20:41:75:73:6e:6f:67 = "Check Ausnog" in
the ascii realm)

On 29/05/13 11:05, Parth Shukla wrote:

Hey all,



I am still looking for contacts for: TPG, Optus and iiNet!



Someone did kindly forward my email to iiNet security team so I’ll wait a
day or two more to hear from them still…



Anyone? Anything?!



Cheers,

Parth



*Parth Shukla* |Information Security Analyst

AusCERT | Australia’s premier computer emergency response team

The University of Queensland | Brisbane QLD 4072 | Australia

t: (07) 334 64537 |e: pparth at auscert.org.au w: www.auscert.org.au




Save a tree. Don't print this e-mail unless it's really necessary



*From:* Parth Shukla [mailto:pparth at auscert.org.au <pparth at auscert.org.au>]
*Sent:* Tuesday, 28 May 2013 12:39 PM
*To:* ausnog at lists.ausnog.net
*Subject:* Re: Analysis of the Carna Botnet (Internet Census 2012)



Hi All,



I’m hoping most of you have had a chance to at least have a quick look at
my presentation by now.



I’m now after technical contacts for three of the four most prominent
Telco’s that are present in the Australian data (slide 44 of my
presentation). I am hoping to work with someone fairly technical in helping
deal with the problem of vulnerable devices through default logins on
telnet on their infrastructure.



I’m after (generic and/or non-generic) technical and security focused
contact details for:* TPG, Optus and iiNet*.



The IP ranges for these three and Telstra represent 75% of compromised
devices in Australia. I already have generic email for Telstra which I’ll
use but if someone here form Telstra wants to contact me directly please
feel free.



Could someone from these three please contact me off-list? If someone has
good contacts in any of them, could you either a) forward my email to them
asking them to contact me or b) email me their contact details off-list?



I will be providing them with the part of the data that is relevant to
their network.



Cheers,

Parth



*Parth Shukla* |Information Security Analyst

AusCERT | Australia’s premier computer emergency response team

The University of Queensland | Brisbane QLD 4072 | Australia

t: (07) 334 64537 |e: pparth at auscert.org.au w: www.auscert.org.au




Save a tree. Don't print this e-mail unless it's really necessary



*From:* Parth Shukla [mailto:pparth at auscert.org.au <pparth at auscert.org.au>]
*Sent:* Friday, 24 May 2013 7:45 PM
*To:* ausnog at lists.ausnog.net
*Subject:* Analysis of the Carna Botnet (Internet Census 2012)



Dear All,



I have made my presentation on the Carna Botnet freely available for view
and/or download: http://bit.ly/auscertcarna



This presentation is on the Compromised Devices of the Carna Botnet (also
known as Internet Census 2012). This analysis is done from data obtained
directly from the researcher. The data used is NOT publicly available for
download.



This was recently presented at the AusCERT Conference 2013. Info:
http://conference.auscert.org.au/conf2013/speaker_Parth_Shukla.html



This presentation is freely available for viewing and downloading as I wish
to spread awareness of the issues raised as a result of the Carna Botnet.



I am sending this email as I suspect many of you will find the contents of
this presentation interesting. Apologies to those who are subscribed to
multiple mailing lists and are receiving this email multiple times as a
result. Please forward this onto any mailing list or any individual who you
think may appreciate the contents of the presentation.



Regards,

Parth



*Parth Shukla* |Information Security Analyst

AusCERT | Australia’s premier computer emergency response team

The University of Queensland | Brisbane QLD 4072 | Australia

t: (07) 334 64537 |e: pparth at auscert.org.au w: www.auscert.org.au




Save a tree. Don't print this e-mail unless it's really necessary





_______________________________________________

AusNOG mailing list

AusNOG at lists.ausnog.net

http://lists.ausnog.net/mailman/listinfo/ausnog



_______________________________________________

AusNOG mailing list

AusNOG at lists.ausnog.net

http://lists.ausnog.net/mailman/listinfo/ausnog
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20130529/15caf9fa/attachment.html>


More information about the AusNOG mailing list