[ale] researcher's linux worm infects 400 K + devices by TELNET
Jim Kinney
jim.kinney at gmail.com
Thu Mar 21 15:41:31 EDT 2013
in short: embeded system MUST be locked down or fully upgradeable.
Basically this guy found a zillion embedded Linux devices and they were all
set up stupidly. Crap like telnet running with a root password of root and
just boneheaded stuff like that.
It's one of the blowbacks from rapid Linux adoption - idiots make devices
with a full OS installed and -WHAM- you've a got a root-bot.
Embedded devices are hard to get really right. Probably impossible to get
totally secure. SCADA security woes are based on a zillion embedded windows
98 and XP devices that run utilities and water treatment plants and
industrial processes. Full of security holes and not fixable without a
hardware refresh (at 4x the cost of the original device).
On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:
> Hi all,
>
> This just came out on the Security Now podcast. I thought I'd pass it
> along. I'll freely admit I don't understand everything discussed.
> However, you guys more up on security stuff will be able to research this
> and act appropriately. I'll explain this the best I can based on what I
> heard on the podcast.
>
> The podcast is entitled Telnet-pocalypse, and he reports on a very serious
> report by an anonymous White Hat researcher about vulnerable devices. I
> have not attempted to verify this information other than what's stated in
> Steve's podcast and in the report cited, but it appears to be legitimate.
>
> http://twit.tv/show/security-**now/396<http://twit.tv/show/security-now/396>
>
> The show just came out yesterday and is not on the GRC website yet.
>
> Reference this page to see the researcher's work, although I wouldn't
> necessarily allow scripting:
>
> http://bit.ly/interscan
> http://internetcensus2012.**bitbucket.org/paper.html<http://internetcensus2012.bitbucket.org/paper.html>
>
> This is similar in nature to the UPNP research that was documented
> recently. However, this researcher went further, and exploited the
> vulnerabilities he found, which is blatantly illegal in dozens of ways. As
> I said, all indications are that he was a White Hat, and went to great
> pains to do research without harming the devices that his worm infected.
> Regardless, the report is now public, and the Black Hat's will be quick to
> capitalize on this and attack with intent to do harm.
>
> As I understand it, this person created a linux worm to scan the entire
> ipv4 address space for vulnerabilities where telnet ports (port 23) were
> exposed on the public internet. As an open port was found, the worm would
> login via telnet using various combinations of no password, admin admin,
> root root, etc. Once it was able to log into the devices found, and in
> many cases had gotten root access to a terminal, the worm would inject it's
> binary code into the device found, thus self propagating and adding an
> additional scan engine to his collection. I get the impression that some
> worms were activated in a temporary manner and some may have been more
> permanent. If the devices were routers and printers, etc., the worm might
> not survive a reboot. In any case, he eventually had a botnet that he
> could control with compromised devices that encompassed 420 thousand
> machines.
>
> Let me repeat that, he actually compromised and installed a worm on 420
> THOUSAND machines via TELNET, and published the results.
>
> Now, that's only .01% of all the available ip4 addresses, but that's not
> much comfort if you're one of the ones that's hacked. As I understand it,
> there are potentially millions more vulnerable machines that he didn't
> attempt to attack for fear of doing real harm, or machines that didn't
> allow code injection. I guess he also made sure his bot self destructed
> after he proved his theories.
>
> So, I suggest listening to the podcast if you're interested and,
> reviewing the researcher's published data and,
> checking your internet facing ports to make sure TELNET is not open.
>
> You can use Steve's Shields Up port scanner at grc.com to scan your first
> 1056 external TCP ports, including telnet.
>
> https://www.grc.com/x/ne.dll?**bh0bkyd2<https://www.grc.com/x/ne.dll?bh0bkyd2>
>
> If anyone has specific knowledge of this research or the implications,
> please share it. You can bet that the bad guys will be paying close
> attention to this report.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone. I get about 300 emails per day from alternate energy
> mailing lists and such. I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O) Leave a message.
> linuxdude AT techstarship.com
>
> ______________________________**_________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>
--
--
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130321/4274d7fb/attachment.html>
More information about the Ale
mailing list