Tag Archives: carna botnet

representation of cyber security padlocks with abstract background featuring binary code

The Carna Botnet Cerca 2012

Posted on

At C0MPLÉX1 we live and breathe internet marketing, security, and SEO. We always learn from the past and evolve with the ever-changing online landscape. We find the story of the Carna botnet to be a fascinating example of the power and fragility of the internet. Here is the story of the Carna botnet: 

Since the internet became publicly available, we have made great strides in security improvements. That being said, we remain vulnerable to many of the same basic threats. One of the oldest and most prevalent security vulnerabilities is our passwords. Using easily guessed or default passwords leave people and businesses open to attacks by hackers.

In 2012, a security researcher wanted to test the security of devices by scanning for systems using telnet and default passwords like “admin”. Telnet is an older, unencrypted way to remotely log in to a network. At the time there were roughly 3.6 billion IP addresses, so scanning using only his computer would have taken years. To speed up this process the researcher created a program that would duplicate itself in systems that his program was able to access. This became the Carna botnet.

The Carna botnet was able to find 1.2 million devices using basic passwords and implanted itself in 420 thousand hosts. Accessing systems without permission is illegal and can carry stiff penalties. Because of this, the security researcher has stayed anonymous to this day. Fortunately, there was no malicious intent, and the researcher just wanted to collect data about computers around the world.

Since the internet is always changing, the researcher knew that just taking a snapshot of data wouldn’t give the full picture. They continually ran scans over 6 weeks, after which they shut down the Carna botnet and removed their program from all of the systems. With the data, they created an animated world map that showed usage location and density hour-by-hour.

This map got a lot of attention around the world but didn’t prompt any action by most governments. With no way to find out the identity of the researcher, the matter may have been ignored. However, a new employee at the Australian Computer Emergency Response Team (AusCERT) attempted to contact the creator of the Carna botnet. He emailed asking for the list of IP addresses for Australia. He was surprised to get a response, and even more surprised when he received data for the entire world.

This young security engineer, Parth Shukla, spent the next year and a half analyzing the data. IP addresses can be tracked by the different ranges designated to each country and location. He used this information to determine which countries were most vulnerable and which manufacturers were supplying unsecured products. He also calculated the average time it would take to find an unsecured system.

With this information, Shukla started contacting other CERT teams and manufacturers of unsecured devices. The response he got was less than ideal. The other CERT teams seem indifferent and most of the manufacturers ignored him altogether. He found that manufactures wanted to avoid any negative PR and blame. In an attempt to enact some change, he started to reach out to people at the engineering level to try to improve future products.

Unfortunately, this is still a pervasive problem. Many of these botnets are likely running today, searching for unsecured systems. While it is true that most people now know the importance of proper internet security, there is still a long way to go.

If you want to improve your current level of security or just want to make sure you stay secure, contact C0MPLÉX1 for more information. We can help you protect your website and offer reputation monitoring and management services for business and executives. The information in this post was obtained from a podcast. If you would like to hear the full episode, it is available from Darknet Diaries here.