Feeds

back to article Researcher sets up illegal 420,000 node botnet for IPv4 internet map

An anonymous researcher has taken an unorthodox approach to achieve the dream of mapping out the entire remaining IPv4 internet - and in doing so broken enough laws around the world to potentially put him or her behind bars for thousands of years. To scan the IPv4 address space, billions of pings must be sent to discover all the …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

They will find the one responsible, oh yes they will.

1
4
HMB
Bronze badge

Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to and it occurred to them (it's amazing how smart some people can be and still lack common sense). I'm aware of the different ways remaining anonymous can be achieved as an IT professional as will many other reg readers. *coughs* PRINGLES *coughs*

* I would like to add for the record as an IT Professional that I don't endorse anything unethical or illegal in this statement.

6
0
Anonymous Coward

On tracking.

The config.log file available in the code download from the project website suggests that whoever did this is a hadoop customer. That would be somewhere for the authorities to start looking.

Note to greyhats: Always "make distclean" before you release something...

1
0
Silver badge
Mushroom

NO..

Anyone sufficiently intelligent to do something this amazing would have no problems remaining anonymous if they really wanted to...

First of all, this is not that "amazing". A script kiddie could have done this.

Second, ability in one field does not necessarily translate to ability in another. There's no reason to assume an "amazing" physicist would make even a passable geologist, for example. So ability in creating a botnet doesn't necessarily translate to ability to hide one's tracks.

6
25
Silver badge
Holmes

Re: NO..

> A script kiddie could have done this.

LOLNO.

I do hope your professional abilities are better than your evident lack of judgement would suggest.

21
5
Silver badge

Re: On tracking (etc)

" ..It also carried a readme file with a description of the project and an email address for the owner, or law enforcement, to get in touch if it was discovered."

Would that be a good starting point?

24
0
Anonymous Coward

Re: NO..

Ahahahah.

You have no idea what you're talking about.

Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something due to someone's insane interpretation of some obscure implementation of "POSIX", that's a challenge that is so far beyond the average script kid these days they couldn't see it with the Hubble Telescope.

32
3
Bronze badge

Re: NO..

"Getting a piece of C to compile for multiple architectures and operating system flavours, especially embedded ones, and run without segfaulting or accidentally breaking something"

Well that's a very good point isn't it. How do we or this "researcher" know he didn't totally fsck up some of the systems he ran his code on.

It'd be interesting to know the number of IPs he was able to log in to which suddenly became uncontactable after his code ran.

I wonder what percentage of those were

a) legitimately switched off

b) changed IP

c) someone or something noticed his code and killed it

d) coincidently had a fault at that time

e) the system broke/exploded due to his code

6
1
Stop

Re: On tracking (etc)

Depends if the information stored in the readme is a herring or the truth? how could one tell the difference? What if its somebody elses information in order to frame them for such? I guess if it said Jeremy Clarkson, there might be motive too! CRAZY! *facepalms*

3
0
Anonymous Coward

Re: NO..

> A script kiddie could have done this.

A script kiddie already did it, and for the same reasons Robert Morris, in 1988. In Morris's case he just made a little mistake that caused infected systems to run so slowly that it was noticed.

6
0
Anonymous Coward

Re: NO..

"Getting code to compile for multiple architectures"

And that's the problem - he had absolutely no way of knowing if what he was doing was going to stop mis-configured hardware working, he also had no way of knowing what the hardware was and what it was doing at the time.

This is an utterly irresponsible act.

7
9
Gav
Bronze badge
Boffin

Sure a script-kiddy could have done this

Sure a script-kiddy could have done this: badly and in such a way that it would have failed to work on half the targeted boxes, or broken them, or made its presence obvious. And they'd also have it all traceable back to their bedroom.

Doing it so no-one noticed, over such a long period. Well it's maybe not brilliance, but evidence of an excellent professional who really knew what they were doing. Ethically however.... dodgy ground indeed.

9
1
Bronze badge

Re: Sure a script-kiddy could have done this

"Doing it so no-one noticed, over such a long period."

Good point, my first thoughts were why didn't the security companies report seeing traces? or was this something that they saw but because they couldn't get a handle on it, they didn't make any announcements?

Perhaps the main reason for this low profile was the decision to target specific device platforms, although the report doesn't give too many details, I suspect the target OS was Linux -based and the preferred platform was consumer routers and set-top boxes ie. not end-user workstations - since these would typically be sitting behind a router.

Basically, the target systems were those that normally do not run any security software, unlike many Windows workstations, and hence were highly unlikely to detect and report the presence of new code. Additionally, the code was focused on devices directly attached to the Internet rather than via a LAN/private network ie. places where it is possible to monitor network traffic and identify abnormal traffic patterns.

This research also raises a question about the claims that get made about Linux security, as without a security scanner how would you know if a Linux system was running unauthorised code?

Finally what this research also demonstrates is that it isn't only SCADA systems that are in need of greater security (see http://www.theregister.co.uk/2013/03/20/scada_honeypot_research/ ) ...

0
0
FAIL

Re: NO..

This is an utterly irresponsible act.

Are you an anal retentive? Do you have COPD? Have you ever had a girlfriend?

1
0

Re: NO..

"This is an utterly irresponsible act."

Possibly. But what is more irresponsible is putting a device, ANY device out there with not only TELNET enabled, but also with global root access, and either a blank or same-as-username password. THAT'S the utterly irresponsible act.

Just thinking "oh security doesn't matter - this device won't connect to the internet" is bloody stupid... if that were truly the case, then why do the devices have default gateways configured... allowing communication with the outside world.

If this guy really wants to avoid negative legal action, he should send out notifications to the owners of all the IP addresses that he managed to get into to tell them to fire their IT staff!

1
0
Bronze badge

Re: @Steve Knox : NO.. A script kiddie could have done this.

Whilst it is not impossible for a script kiddie to have done this. I've yet to come across any script kiddie who can coherently write up the results of their work; the paper and level of presentation detail strongly indicate that this is the work of a professional albeit one who gets a kick out of what they do - but hey that's the reason why many of us work in IT.

1
0
Bronze badge

@HMB Re: remaining anonymous

The real problem facing the person behind this research will be keeping quiet!

This research really is something to shout about. If this was a 'normal' research project there is more than enough material for the person to write this up as a formal paper and have it published as the product of a masters project. Additionally, how many people can say that they've built and successfully operated a massive botnet? but that ignores the successful retrieval and collation of substantial amounts data from it and its analysis and interpretation.

So I would expect details to eventually leak out - however, unless people can actually provide evidence that their device was used I would think the researcher is relatively safe from prosecution...

1
0
Anonymous Coward

Re: Would that be a good starting point?

Well that depends. An email address that the owner sets up and only ever accesses over TOR isn't much use to anybody. Whereas hadoop keeps a list of all its customers because it has to be able to get them to pay their bills.

0
0
Bronze badge

Re: how would you know if a Linux system was running unauthorised code?

As one of the first things you do is change the default admin ID and password, and limit the scope of any remote login facility (if you don't disable it completely) you won't need to worry that your router has been compromised by this sort of attack, will you? You did change the ID ... ?

0
0
Bronze badge
Go

Prosecution would be proof of idiocy..

Yes, there is a question of ethics here, but going by the description in the article the researcher in question did everything By The Book when it comes to Gentleman Hacking.

Hell, he even left his contact details right there in the code....

Even so, besides a pretty map the whole project has proven a number of things:

- Linux devices are as secure as their admins. Come on... standard passwords?

- There are other people actively using the same vector for not-so-friendly purposes.

- You cannot stop, nor deter a dedicater Nerd.

The guy should get a medal for this, really.

50
3
Bronze badge

Re: Prosecution would be proof of idiocy..

Name just *ONE* time a government has not done its level best to prove its idiocy? Indeed, over the past decade, many governments seem to try to outdo each other in idiotic acts.

So, I suspect this researcher will end up in prison until the heat death of the universe. :/

8
0
Silver badge
Pint

Respect muh authority! This WILL be fully prosecuted.

This is activity seems to be on the level of "urban exploration". On a bad day you may end up being chased by rats, guard dogs, mafiosi and coppers. Or come too near a radioactive landfill site. Or give an old lady a premature heart attack. On a good day, you come away with a set of nice high-resolution pictures.

There is always the chance that the scan hits the Internet-connected widely open medical device controller, which would be bad. I still wouldn't get into a tizzy over "ethics", which are often just a convenient bullet-pointed-and-ordered-by-priority way of pretending that tradeoffs and fast or dubious decisions don't exist in the real world. Or worse, that one is whiter than driven snow...

7
2

Re: Prosecution would be proof of idiocy..

- Linux devices are as secure as their admins. Come on... standard passwords?'

Admins?, A quote from the article

'The vast majority of infected systems were consumer routers or set-top boxes'

So, these devices really have no 'admins', per se, and their users probably haven't a clue they run any sort of OS at all. The manufacturers need their arses collectively kicked regarding things like default security of these devices, knowing full well that the average target user of a piece of consumer electronics is just going to plug the bugger in and get on with it without RTFM about security.

What should be more of a worry (though it isn't that surprising) were the

'..Cisco and Juniper hardware, x86 equipment with crypto accelerator cards, industrial control systems, and physical door security systems.'

that they managed to compromise.

From this, I take it, amateur hour isn't quite over yet out there.

17
1
Anonymous Coward

Re: Prosecution would be proof of idiocy..

The guy should get a medal for this, really.

Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.

So, let me use uppercase because it appears it is needed.

THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.

Got that? Good. Read it *again*.

FFS, get this into your thick heads - the only safe way to explore security is by permission, and you damn well should get it in writing - people have a habit of changing their minds when you dig up something embarrassing. Accessing any kind of device without the explicit permission of its owner is in most countries considered a criminal act, for very good reasons (this is the coat hanger they convict the bad guys with as well, and they would naturally claim they were only checking security. This is why you cover your rear end when you report a vulnerability you come across as "it is is possible that"..

Even accessing a public website in a manner different than your normal browser would , can, if proven, get you in trouble.

13
29
Bronze badge
Thumb Up

Re: Prosecution would be proof of idiocy..

I'm pretty sure our router participated. It was decommissioned yesterday but, yes, it was admin/admin and I had no say in the matter. You can have the most knowledgeable security people in the world but it doesn't do jack if management (CEO) sets an idiotic policy.

OTOH, policy set by the new manufacturer created the password from hell, and aside from typos, I'm loving it.

9
0
JDX
Gold badge

Re: Prosecution would be proof of idiocy..

Poppycock.

If someone breaks into my car while I'm on holiday and drives around in it to do their shopping, then washes it and tops up the fuel and leaves a thankyou note, it does not stop it being a crime.

If they break into my house and live there but do no damage it's still a crime.

Please, buy a ticket to the real world. Just because it's the internet does not mean it's OK. It's cool and clever in the same way many crimes are cool and clever but it's still a crime.

Not taking action sends out a message plain and simple that this kind of thing is OK. What happens when 100 people do the same thing and all target the same devices?

11
9
M7S
Bronze badge

the only safe way to explore security.....

I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.

It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.

Both of the above are laudable, and done with the best of intent. In the latter case there's no reasonable suspicion of an offence other than an unlocked door and in the former there's no crime except that possibly (no permanent deprivation intended so it's not theft but it might be something like "interfering with my stuff") being committed by the officer.

I wouldn't seek to stop either practice but perhaps on examination the actions of the police are a little bit greyer. PC Dixon's not going to do the same to my computer. How, really, do the actions of this researcher in this instance (and I appreciate the danges of setting precedent) differ? I know, I could pay a company to do this but most people aren't going to, in the same way that most people won't engage a security contractor to come and assess their home. You're certainly not going to get such a wide survey done via contractors. Just food for thought.

4
0
Anonymous Coward

Re: Prosecution would be proof of idiocy..

Windows boxes force you to pick a secure password by default. Bit of a Linux fail there.

0
10
Boffin

Re: Prosecution would be proof of idiocy..

Yawn, here we go again. I walked into your house because you left the door unlocked and I'm only surveying the wallpaper in this street - still illegal, still going to jail, still not passing "Go", and still not collecting $200.

In the UK, this would not result in jail time. It's unlikely to even result in prosecution. The only reason it would be against the law at all is because of recent changes to squatting legislation

12
2
Bronze badge
Joke

Re: Prosecution would be proof of idiocy..

@Wzrd1

Come on Sgt. Bribeasy, we'll show that hacker how intelligent I am!

Right inspector, you get a tape measure and I'll fetch the two short planks!

To misquote Smith and Jones.

0
0
Bronze badge
Thumb Down

Re: in the former there's no crime except

Taking without consent (TWOC in the vernacular) sounds about right.

0
0
JDX
Gold badge

@M7S

>>I've seen plenty of documentaries in which UK policepersons will sneak up on unsuspecting people in railway stations or similar places and take their bag (which they are not watching properly) and wait until the person notices it is missing (usually when then setting off) before advising them of the error of their ways.

It used to be common practice for police on foot patrol at night (OK, I know, I'm nostalgic) to rattle the doors/gates to commercial premises to check they were secure and if not, to pop in to check that all was well and if possible, later advise the owner to apply better security.

Both of the above are laudable, and done with the best of intent.

1)Both of those are done by POLICE not VIGILANTEs

2)It's not illegal for me to pick up your bag. I'm not going inside to rummage about and then handing it back. Entering your computer system uses cycles and you cannot guarantee his code is bug-free.

3
5
Anonymous Coward

Re: @M7S

To follow up on JDX

The appropriate phrases around the police checking doors are "policing by consent" and "within a legal framework"

Such activities were with the connivance of the owners and their insurers.

A modern equivalent of trying the doorknob might be to see if a password challenge was issued but no more than that.

0
0
Anonymous Coward

Re: Prosecution would be proof of idiocy..

It would certainly be trespass (which was upgraded to criminal, IIRC), and they would probably be able to get you for "going equipped" if you had anything even remotely dodgy on you.

0
2
Anonymous Coward

Re: Trespass

Trespass in and of itself in the UK is not regarded as a criminal matter, unless there are other factors involved.

http://trespassing.co.uk/

3
0
Bronze badge
Linux

Re: Prosecution would be proof of idiocy..

"The guy should get a medal for this..."

Or at least the admiration of his/her peers.

1
0
Bronze badge
Terminator

@AC 07:51 Re: Prosecution would be proof of idiocy..

Physical - Virtual -- Apples - Oranges

0
1
Bronze badge
Terminator

@JDX Re: Prosecution would be proof of idiocy..

Physical - Virtual -- Apples - Oranges

0
1
Silver badge
Facepalm

Re: require creation of secure password.

Many Linux distros require a "secure password" as well.

Almost none of the machine where installed by their operators. They where embedded systems (routers, swtiches) so, the fail is on the manufacturer (and/or admin).

2
0
Facepalm

Re: Prosecution would be proof of idiocy..

On the other hand, how much effort would the police spend tracking someone down if you told them you think maybe, when you left the door open, someone might have looked in at your wallpaper, but you can't really prove it.

1
0

Re: Prosecution would be proof of idiocy..

There are 'white hats', 'gray hats' 'black hats' and ass hats... An ass hat is someone so naive as to believe that they are breaking no laws in their squeaky-clean lives. This gives them the moral authority to proclaim from behind their anonymous coward masks that indeed THE REASON FOR WHICH YOU BROKE THE LAW MATTER ONLY INSOFAR THAT THEY CAN AFFECT THE FINE WHEN CAUGHT - THEY DO NOT CHANGE THE FACT THAT YOU COMMITTED A CRIME.

Well, let me tell you, ass hat... that laundry you are wearing isn't as clean as you think it is...

2
1

This post has been deleted by its author

WOW

Default Password FTW

0
1
Silver badge
Stop

Re: WOW

yes because granny francine knows all about changing router passwords when she gets a preconfigured box through the post, plugs it in and gets internet.

4
1

ZOMG Running out of IPv4 addresses!!!!

1.3b out of 4.3b is not "running out"

9
0
Thumb Up

Re: ZOMG Running out of IPv4 addresses!!!!

I'd agree, I'd certainly argue that DEC no longer needs an entire /8... for example. I think they need to *yoink* back those IP ranges that aren't being used.

8
0
FAIL

Re: ZOMG Running out of IPv4 addresses!!!!

This argument again?

1) DEC doesn't exist anymore, it's HP now.

2) Getting a few /8's back just delays the enivitable by a few months. That's it. By the time you force HP to remember their entire internal network just to free the /8 up, it would already be too late.

Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network.

9
10
Anonymous Coward

Re: ZOMG Running out of IPv4 addresses!!!!

If you really want to get technical, do any of these companies actually need a /8 (some have more than one as well)

006/8 Army Information Systems Center

013/8 Xerox Corporation

015/8 Hewlett-Packard Company

016/8 Digital Equipment Corporation (acquired by Compaq who was then acquired by HP)

017/8 Apple Computer Inc.

018/8 MIT

019/8 Ford Motor Company

021/8 DDN-RVN

022/8 Defense Information Systems Agency

026/8 Defense Information Systems Agency

028/8 DSI-North

029/8 Defense Information Systems Agency

030/8 Defense Information Systems Agency

033/8 DLA Systems Automation Center

034/8 Halliburton Company

044/8 Amateur Radio Digital Communications

048/8 Prudential Securities Inc.

051/8 UK Government Department for Work and Pensions

052/8 E.I. duPont de Nemours and Co., Inc.

053/8 Cap Debis CCS

054/8 Merck and Co., Inc.

056/8 US Postal Service

057/8 SITA

The DoD which has four /8's.

Lastly, there are a number of /8's that have never been assigned:

000/8 IANA - Local Identification

240/8 Future use

241/8 Future use

242/8 Future use

243/8 Future use

244/8 Future use

245/8 Future use

246/8 Future use

247/8 Future use

248/8 Future use

249/8 Future use

250/8 Future use

251/8 Future use

252/8 Future use

253/8 Future use

254/8 Future use

255/8 Future use

There would be some /24's out of 0/8 and 255/8 that couldn't be assigned but others that would be usable.

The real answer is IPv6 as sooner or later you need the additional addresses. When most of the legacy IPv4 blocks were assigned, the address space was used internally. There are institutions that still do that which is just a huge waste of address space.

15
0
Bronze badge

Re: ZOMG Running out of IPv4 addresses!!!!

"Instead of trying to take things away from people that they legitimately have, maybe you should start IPv6 enabling your network."

I don't know about everyone else but my networks have been IPv6-ready for several years now. I see precisely zip IPv6 traffic (a bit of IPv6 NTP to a pool server I run, but that's about it). Hell, my log analysis scripts still break on IPv6 and I can't be bothered to fix them for the rare occasions one of those addresses pops up in the logs.

And before we start questioning why home users aren't using IPv6, maybe we should point the finger at places like The Reg itself, or Slashdot, or anyone of the myriad "technical" sites that doesn't even publish an AAAA address at all but yet PUBLISHES ARTICLES about it.

13
0
Silver badge

Re: ZOMG Running out of IPv4 addresses!!!!

Big name software doesnt help matters. TMG wont play nice with ipv6 so if you have an isp with 6 only or hosting websites etc then 6->4 translation is what you would be stuck with. Not ideal really.

0
0

Page:

This topic is closed for new posts.