[ale] researcher's linux worm infects 400 K + devices by TELNET

Thu Mar 21 15:41:31 EDT 2013

in short: embeded system MUST be locked down or fully upgradeable.

Basically this guy found a zillion embedded Linux devices and they were all
set up stupidly. Crap like telnet running with a root password of root and
just boneheaded stuff like that.

It's one of the blowbacks from rapid Linux adoption - idiots make devices
with a full OS installed and -WHAM- you've a got a root-bot.

Embedded devices are hard to get really right. Probably impossible to get
totally secure. SCADA security woes are based on a zillion embedded windows
98 and XP devices that run utilities and water treatment plants and
industrial processes. Full of security holes and not fixable without a
hardware refresh (at 4x the cost of the original device).

On Thu, Mar 21, 2013 at 2:56 PM, Ron Frazier (ALE) <
atllinuxenthinfo at techstarship.com> wrote:

> Hi all,
>
> This just came out on the Security Now podcast.  I thought I'd pass it
> along.  I'll freely admit I don't understand everything discussed.
>  However, you guys more up on security stuff will be able to research this
> and act appropriately.  I'll explain this the best I can based on what I
> heard on the podcast.
>
> The podcast is entitled Telnet-pocalypse, and he reports on a very serious
> report by an anonymous White Hat researcher about vulnerable devices.  I
> have not attempted to verify this information other than what's stated in
> Steve's podcast and in the report cited, but it appears to be legitimate.
>
> http://twit.tv/show/security-**now/396<http://twit.tv/show/security-now/396>
>
> The show just came out yesterday and is not on the GRC website yet.
>
> Reference this page to see the researcher's work, although I wouldn't
> necessarily allow scripting:
>
> http://bit.ly/interscan
> http://internetcensus2012.**bitbucket.org/paper.html<http://internetcensus2012.bitbucket.org/paper.html>
>
> This is similar in nature to the UPNP research that was documented
> recently.  However, this researcher went further, and exploited the
> vulnerabilities he found, which is blatantly illegal in dozens of ways.  As
> I said, all indications are that he was a White Hat, and went to great
> pains to do research without harming the devices that his worm infected.
>  Regardless, the report is now public, and the Black Hat's will be quick to
> capitalize on this and attack with intent to do harm.
>
> As I understand it, this person created a linux worm to scan the entire
> ipv4 address space for vulnerabilities where telnet ports (port 23) were
> exposed on the public internet.  As an open port was found, the worm would
> login via telnet using various combinations of no password, admin admin,
> root root, etc.  Once it was able to log into the devices found, and in
> many cases had gotten root access to a terminal, the worm would inject it's
> binary code into the device found, thus self propagating and adding an
> additional scan engine to his collection.  I get the impression that some
> worms were activated in a temporary manner and some may have been more
> permanent.  If the devices were routers and printers, etc., the worm might
> not survive a reboot.  In any case, he eventually had a botnet that he
> could control with compromised devices that encompassed 420 thousand
> machines.
>
> Let me repeat that, he actually compromised and installed a worm on 420
> THOUSAND machines via TELNET, and published the results.
>
> Now, that's only .01% of all the available ip4 addresses, but that's not
> much comfort if you're one of the ones that's hacked.  As I understand it,
> there are potentially millions more vulnerable machines that he didn't
> attempt to attack for fear of doing real harm, or machines that didn't
> allow code injection.  I guess he also made sure his bot self destructed
> after he proved his theories.
>
> So, I suggest listening to the podcast if you're interested and,
> reviewing the researcher's published data and,
> checking your internet facing ports to make sure TELNET is not open.
>
> You can use Steve's Shields Up port scanner at grc.com to scan your first
> 1056 external TCP ports, including telnet.
>
> https://www.grc.com/x/ne.dll?**bh0bkyd2<https://www.grc.com/x/ne.dll?bh0bkyd2>
>
> If anyone has specific knowledge of this research or the implications,
> please share it.  You can bet that the bad guys will be paying close
> attention to this report.
>
> Sincerely,
>
> Ron
>
> --
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very
> quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
> ______________________________**_________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/**listinfo/ale<http://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/**listinfo<http://mail.ale.org/mailman/listinfo>
>

-- 
-- 
James P. Kinney III
*
*Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*
http://electjimkinney.org
http://heretothereideas.blogspot.com/
*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130321/4274d7fb/attachment.html>