Carna Botnet Exploit Unmasked, Researcher Reveals Details

After more than a million devices were exploited with the Carna Botnet, one information security analyst found out more details about what happened.


In March, an anonymous researcher published a report dubbed the Internet Census, which was conducted by exploiting more than a million embedded devices with the Carna Botnet. Full details from that same anonymous researcher on the devices that were exploited had not publicly been revealed—until now.

Parth Shukla, information security analyst in the Operations Centre at the Australian Computer Emergency Response Team (AusCert), is set to publicly discuss the previously unknown Internet Census findings this week at the Black Hat Regional Summit in Sao Paulo, Brazil. In an interview with eWEEK, Shukla explained how he got hold of the details from the anonymous researcher and what the data actually shows.

When Shukla first heard about the Internet Census data publication, he wondered if the researcher in fact had more data available, he told eWEEK. So he contacted the researcher by way of the public key that researcher had signed the research with. Shukla said the anonymous researcher told him that no one else had bothered to contact him to see if there was more data available. It turns out there was more data available, and it was all sent to Shukla.

Legal issues did come up. The Internet Census Carna Botnet data was illegally obtained as the anonymous researcher infected machines around the world without permission. Shukla said, however, that he had multiple discussions with his organization's legal department about the data. In the final analysis, AusCert's legal team said that Shukla had not asked the anonymous researcher to conduct the illegal research and, as such, was not a party to the crime.

"There are, of course, ethical considerations about using data that was clearly violating the rights of so many people's devices," Shukla said. "My view is that since I was the only one with the data, it is imperative for me to do something to spread the message, that what the data reveals is a very serious security concern."

The Internet Census data was obtained by the anonymous researcher by way of hacking telnet services on devices and then infecting the devices to become part of the Carna Botnet. Security-conscious IT administrators generally avoid Telnet; the remote-access technology has been revealed to be insecure since it does not encrypt data.

"You expect some devices on the Internet to be exposed to Telnet, but you don't expect there to be 1.3 million devices," Shukla said. "That's what the data shows, and it's kind of mind-blowing."

Shukla's analysis of the 1.3 million vulnerable devices revealed that it's not consumers or enterprises that are necessarily at fault, but he puts the blame on the device manufacturers. The data shows 2,100 different manufacturers for the devices scanned by the Internet Census.

The top-10 device manufacturers in the study, by volume, are building devices that are insecure, by default, when users plug the devices into the Internet, Shukla said. "Certain vendors have made their device firmware more vulnerable by having default log-in information and telnet on by default," he said.

Default log-ins on telnet, enable any attacker that is scanning the Internet to potentially identify open telnet ports and then log in to vulnerable devices. Shukla said that he can't understand why any device manufacturer would put telnet on a device with default credentials. In his view, there is no such business requirement for any devices that are currently shipping.

Looking deeper into the data, Shukla said that most of the devices in the study are embedded devices with less than 256MB of system memory.

While an obvious best practice for all IT users is not to run Telnet, Shukla said that it can often be difficult to detect if a device is vulnerable.

One of the first things that the Carna Botnet does is it closes Port 22 on the device, which is the port that is typically used by Telnet. As such, users can't just probe a device looking for an open Port 22, and need to do a very robust and thorough scan.

Overall, while users should be more vigilant, device manufacturers should improve security, Shukla said.

"As an industry, the bigger challenge is getting manufacturers to build devices that are more secure by default," Shukla said.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.