The Internet research botnet - NZNOG - lists.nznog.org

newer
iconz ipv6?

The Internet research botnet

older
Videos from NZNOG 2013

Juha Saarinen

20 Mar 2013 20 Mar '13

3:20 a.m.

A friend sent a link this morning to what appeared to be the usual dry research stuff but as the coffee kicked in, my jaw dropped. Here's the story I wrote: http://www.itnews.com.au/News/337259,researcher-builds-enormous-global-botne... There was an earlier mass-compromise of DSL routers in Brazil: http://www.itnews.com.au/News/317529,millions-of-dsl-modems-hacked-in-brazil... Would I be right in assuming that the vulnerable devices situation is similar in NZ and Australia? Hei konā mai, -- Juha Saarinen AITTP Twitter: juhasaarinen http://juha.saarinen.org

Reply

Sign in to reply online Use email software

Show replies by date

Volker Kuhlmann

21 Mar 21 Mar

2:25 a.m.

On Thu 21 Mar 2013 10:20:31 NZDT +1300, Juha Saarinen wrote:

Would I be right in assuming that the vulnerable devices situation is similar in NZ and Australia?

That would appear to be an empty question to which we all knew the answer even before D-Link so impressively demonstrated earlier this year that they just couldn't care less about making their rubbish functional. The same researcher said the other manufacturers aren't all that different. Personally I rank all that gear in the same category of clunky... Recent conference reports sound like teleconferencing equipment is in the same category too. Pity all the users who don't or can't know any better. Volker -- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me.

Reply

Sign in to reply online Use email software

David Robinson

3:54 a.m.

Well malware writers will look at this and start to exploit it. When that scales up with hosting malware, C&C, launching DDoS, etc the manufacturers will have to start taking notice though we are most probably talking years and new devices only, seeing updates are far and few between once they release a couple at the start to fix bugs. On 22 March 2013 09:25, Volker Kuhlmann wrote:

On Thu 21 Mar 2013 10:20:31 NZDT +1300, Juha Saarinen wrote:

...
Would I be right in assuming that the vulnerable devices situation is similar in NZ and Australia?

That would appear to be an empty question to which we all knew the answer even before D-Link so impressively demonstrated earlier this year that they just couldn't care less about making their rubbish functional. The same researcher said the other manufacturers aren't all that different. Personally I rank all that gear in the same category of clunky...

Recent conference reports sound like teleconferencing equipment is in the same category too.

Pity all the users who don't or can't know any better.

Volker

-- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

TreeNet Admin

23 Mar 23 Mar

8:10 p.m.

On 22/03/2013 10:54 a.m., David Robinson wrote:

Well malware writers will look at this and start to exploit it. When that scales up with hosting malware, C&C, launching DDoS, etc the manufacturers will have to start taking notice though we are most probably talking years and new devices only, seeing updates are far and few between once they release a couple at the start to fix bugs.

You obviously missed the part where the researcher discovered he was competing with botnets and had to actually begin active warfare against them by "fixing" the boxes to get the project to work. AYJ

On 22 March 2013 09:25, Volker Kuhlmann wrote:

...
On Thu 21 Mar 2013 10:20:31 NZDT +1300, Juha Saarinen wrote:

...
Would I be right in assuming that the vulnerable devices situation is similar in NZ and Australia? That would appear to be an empty question to which we all knew the answer even before D-Link so impressively demonstrated earlier this year that they just couldn't care less about making their rubbish functional. The same researcher said the other manufacturers aren't all that different. Personally I rank all that gear in the same category of clunky...

Recent conference reports sound like teleconferencing equipment is in the same category too.

Pity all the users who don't or can't know any better.

Volker

-- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Jay Daley

24 Mar 24 Mar

2:26 a.m.

On 25/03/2013, at 3:10 AM, TreeNet Admin wrote:

On 22/03/2013 10:54 a.m., David Robinson wrote:

...
Well malware writers will look at this and start to exploit it. When that scales up with hosting malware, C&C, launching DDoS, etc the manufacturers will have to start taking notice though we are most probably talking years and new devices only, seeing updates are far and few between once they release a couple at the start to fix bugs.

You obviously missed the part where the researcher discovered he was competing with botnets and had to actually begin active warfare against them by "fixing" the boxes to get the project to work.

I would be interested to know how this researcher's effort does not also classify as a botnet? cheers Jay

AYJ

...
On 22 March 2013 09:25, Volker Kuhlmann wrote:

...
On Thu 21 Mar 2013 10:20:31 NZDT +1300, Juha Saarinen wrote:

...
Would I be right in assuming that the vulnerable devices situation is similar in NZ and Australia? That would appear to be an empty question to which we all knew the answer even before D-Link so impressively demonstrated earlier this year that they just couldn't care less about making their rubbish functional. The same researcher said the other manufacturers aren't all that different. Personally I rank all that gear in the same category of clunky...

Recent conference reports sound like teleconferencing equipment is in the same category too.

Pity all the users who don't or can't know any better.

Volker

-- Volker Kuhlmann is list0570 with the domain in header. http://volker.dnsalias.net/ Please do not CC list postings to me. _______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

_______________________________________________ NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

-- Jay Daley Chief Executive .nz Registry Services (New Zealand Domain Name Registry Limited) desk: +64 4 931 6977 mobile: +64 21 678840 linkedin: www.linkedin.com/in/jaydaley

Reply

Sign in to reply online Use email software

Dean Pemberton

2:58 a.m.

I think thats the point... it does. On Mon, Mar 25, 2013 at 9:26 AM, Jay Daley wrote:

I would be interested to know how this researcher's effort does not also classify as a botnet?

Reply

Sign in to reply online Use email software

bmanning＠vacation.karoshi.com

3 a.m.

"are YOU a goodbot or a BADbot?" - Glinda On Mon, Mar 25, 2013 at 09:58:24AM +1300, Dean Pemberton wrote:

I think thats the point... it does.

On Mon, Mar 25, 2013 at 9:26 AM, Jay Daley wrote:

...
I would be interested to know how this researcher's effort does not also classify as a botnet?

NZNOG mailing list NZNOG(a)list.waikato.ac.nz http://list.waikato.ac.nz/mailman/listinfo/nznog

Reply

Sign in to reply online Use email software

Juha Saarinen

3:03 a.m.

On 25/03/2013 9:58 a.m., Dean Pemberton wrote:

I think thats the point... it does. Indeed. The research says it is, for instance here:

"Since our botnet targets many more clients, it is no problem to scan for devices that change their IP address every twenty four hours. Many devices reboot every few days so it is necessary to constantly scan on Port 23 (Telnet) to find restarted devices and re-upload our binary for the botnet to remain active." Hei konā mai, -- Juha Saarinen AITTP Twitter: juhasaarinen http://juha.saarinen.org

Reply

Sign in to reply online Use email software

4291

Age (days ago)

4295

Last active (days ago)

Download

7 comments

7 participants

tags

participants (7)

bmanning＠vacation.karoshi.com
David Robinson
Dean Pemberton
Jay Daley
Juha Saarinen
TreeNet Admin
Volker Kuhlmann