[ale] researcher's linux worm infects 400 K + devices by TELNET

Ron Frazier (ALE) atllinuxenthinfo at techstarship.com
Thu Mar 21 14:56:05 EDT 2013 

Hi all,

This just came out on the Security Now podcast.  I thought I'd pass it 
along.  I'll freely admit I don't understand everything discussed.  
However, you guys more up on security stuff will be able to research 
this and act appropriately.  I'll explain this the best I can based on 
what I heard on the podcast.

The podcast is entitled Telnet-pocalypse, and he reports on a very 
serious report by an anonymous White Hat researcher about vulnerable 
devices.  I have not attempted to verify this information other than 
what's stated in Steve's podcast and in the report cited, but it appears 
to be legitimate.

http://twit.tv/show/security-now/396

The show just came out yesterday and is not on the GRC website yet.

Reference this page to see the researcher's work, although I wouldn't 
necessarily allow scripting:

http://bit.ly/interscan
http://internetcensus2012.bitbucket.org/paper.html

This is similar in nature to the UPNP research that was documented 
recently.  However, this researcher went further, and exploited the 
vulnerabilities he found, which is blatantly illegal in dozens of ways.  
As I said, all indications are that he was a White Hat, and went to 
great pains to do research without harming the devices that his worm 
infected.  Regardless, the report is now public, and the Black Hat's 
will be quick to capitalize on this and attack with intent to do harm.

As I understand it, this person created a linux worm to scan the entire 
ipv4 address space for vulnerabilities where telnet ports (port 23) were 
exposed on the public internet.  As an open port was found, the worm 
would login via telnet using various combinations of no password, admin 
admin, root root, etc.  Once it was able to log into the devices found, 
and in many cases had gotten root access to a terminal, the worm would 
inject it's binary code into the device found, thus self propagating and 
adding an additional scan engine to his collection.  I get the 
impression that some worms were activated in a temporary manner and some 
may have been more permanent.  If the devices were routers and printers, 
etc., the worm might not survive a reboot.  In any case, he eventually 
had a botnet that he could control with compromised devices that 
encompassed 420 thousand machines.

Let me repeat that, he actually compromised and installed a worm on 420 
THOUSAND machines via TELNET, and published the results.

Now, that's only .01% of all the available ip4 addresses, but that's not 
much comfort if you're one of the ones that's hacked.  As I understand 
it, there are potentially millions more vulnerable machines that he 
didn't attempt to attack for fear of doing real harm, or machines that 
didn't allow code injection.  I guess he also made sure his bot self 
destructed after he proved his theories.

So, I suggest listening to the podcast if you're interested and,
reviewing the researcher's published data and,
checking your internet facing ports to make sure TELNET is not open.

You can use Steve's Shields Up port scanner at grc.com to scan your 
first 1056 external TCP ports, including telnet.

https://www.grc.com/x/ne.dll?bh0bkyd2

If anyone has specific knowledge of this research or the implications, 
please share it.  You can bet that the bad guys will be paying close 
attention to this report.

Sincerely,

Ron

-- 

(PS - If you email me and don't get a quick response, you might want to
call on the phone.  I get about 300 emails per day from alternate energy
mailing lists and such.  I don't always see new email messages very quickly.)

Ron Frazier
770-205-9422 (O)   Leave a message.
linuxdude AT techstarship.com

More information about the Ale mailing list