Researcher sets up illegal 420K node botnet to scan entire Internet

Tools

By leveraging unsecured Internet-accessible embedded devices, an anonymous researcher succeeded in creating a massive botnet consisting of 420,000 devices. This was used to perform a comprehensive IPv4 census that found 1.3 billion addresses in use, 141 million of which were behind a firewall.

In all, the project collected more than 9TB of raw logs, with a staggering 4 trillion service probes, and captured 175 billion replies that were sent back.  

The botnet was established by scanning public IP addresses to find and break into appliances with default passwords or those that didn't have passwords at all.

By coding small binary clients for the major platforms, the hacker was able to utilize commandeered devices to speed up the rate of acquiring new devices. Eventually, the sheer number of bots on command meant that devices that change their IP addresses could be reacquired within 24 hours.

"As could be seen from the sample data, insecure devices are located basically everywhere on the Internet. They are not specific to one ISP or country. So the problem of default or empty passwords is an Internet and industry wide phenomenon," wrote the unidentified researcher. He stressed that his research was conducted with "maximum respect to the privacy" of the device users, and also crafted the binary to run at the lowest system priority. A system reset will erase the bot.

"While everybody is talking about high class exploits and cyberwar, four simple stupid default telnet passwords can give you access to hundreds of thousands of consumer as well as tens of thousands of industrial devices all over the world," he concluded. The compressed research data can be downloaded here.

For more:
- check out this report

Related Articles:
Server-based botnets used in attacks against US banks
Botnets are getting smarter; what you can do about it

Filed Under