Paste your Bing Webmaster Tools verification code here

Prosumware: Malware for the Insecure

Prosumware

The term prosumware is derived from the Latin word ”prosum” meaning “to be useful, do good, benefit”. Prosumware acts without authorized permission on a user’s device and so is considered a form of malware. Prosumware’s goal is to strengthen a system’s defenses via removal of harmful malware, and/or checking for security flaws. This causes prosumware to stand in direct contrast to the actions of typical malware. Upon infection, it is also common for the device’s owner to be notified of the security vulnerabilities and changes that have been made to protect the device.

The latest release (2015) of a worm dubbed “Linux.Wifatch, Ifwatch, or Reincarna” has taken the news world by storm, adequately naming this worm the “vigilante virus”.

However, the origins of prosumware began years before this newest resurgence.

The first recorded prosumware and the last mass scanning of the IPv4 internet

Origin… it all begins with a readme file…


Hello,
Your router had a very simple or no telnet password at all.
We temporary (sic) use it for a non-profit research project to map the internet, all research results will be made public.
We have no intent to damage your device or harm your privacy in any way.
In case you have any questions, feel free to contact us.
Router Research Project”

And so the first recorded case of prosumware is brought to light.

As the prosumware’s author states, all the results were made public http://internetcensus2012.bitbucket.org/paper.html and subsequent submissions of the data have been entered into the Internet Archive . The Internet Archive upload is of great importance because it ensures that the data gathered will still be accessible if the original data at the hosted link is ever removed.

What shall we call it?

Carna… the first recorded prosumware’s name is Carna.

Below is an excerpt from the author’s research.

“Since it seems to be somewhat of a tradition to name bots after Roman or Greek divinities we chose “Carna” as the name for our bot. Carna was the roman goddess for the protection of inner organs and health and was later confused with the goddess of doorsteps and hinges. This name seems like a good choice for a bot that runs mostly on embedded routers.”

The first widespread discussion of the Carna worm is available from an ESET presentation given by Peter Košinár, Secret Life of Routers. As indicated in the readme message, an email address was provided and Košinár was the first to contact the author about the prosumware worm.

A few astonishing facts from the Carna research project

“Within one day our binary was deployed to around one hundred thousand devices – enough for our research purposes.”

“It took six months to work out the scanning strategy, develop the backend and setup the infrastructure.
The binary on the router was written in plain C. It was compiled for 9 different architectures using the OpenWRT Buildroot. In its latest and largest version this binary was between 46 and 60 kb in size depending on the target architecture.” The project’s earliest provided data is March of 2012 and the beginning idea for the research started in 2010.

I’m going to preface this next part by saying the project reached 420,000 internet facing devices. Let that sink in for a moment. Good, now to put that in perspective, the population of New York City in 2014 was 8,491,079 (link to NYC census). If the Carna worm was a biological pathogen, 1 in every 20 people in NYC would be infected… This is solely devices facing the internet and not reaching into the LAN (Local Area Network). Now pay particularly close attention to the last sentence on what percentage of the total unprotected devices 420,000 was. “We decided to completely ignore all traffic going through the devices and everything behind the routers. This implies no arp, dhcp statistics, no monitoring or counting of traffic, no port scanning of LAN devices and no playing around with all the fun things that might be waiting in the local networks… We used a strict set of rules to identify the target devices’ CPU and RAM to ensure our binary was only deployed to systems where it was known to work. We also excluded all smaller groups of devices since we did not want to interfere with industrial controls or mission critical hardware in any way. Our binary ran on approximately 420 thousand devices. These are only about 25 percent of all unprotected devices found.” Wow, that now brings our NYC statistic to 1 in every 5 people infected…

Carna 2012 Botnet Infection
Figure 1: Carna Botnet client distribution March to December 2012. ~420K Clients (the image above and all further images in this post were reproduced from the Internet Census research page excluding the featured image I created in GIMP).

“We were able to use ifconfig to get the MAC address on most devices. We collected these MAC addresses for some time and identified about 1.2 million unique unprotected devices. This number does not include devices that do not have ifconfig.”

A classic botnet requires one or more command and control (C&C) servers, however “In our scenario this server is not necessary because all devices are reachable directly from the Internet. Therefore we could open a port that provided our own secure login method and a command interface to the bot. Our infrastructure still needs a central server to keep track of and connect to the clients, but it can stay behind NAT and is not reachable from the Internet.” In layman’s terms, that means there was no central head to the botnet, transforming it instead to a peer-to-peer botnet where each receives instructions from another bot in the network.

Anything in parenthetical citations in the next two paragraphs is information I’ve included for background knowledge. “After development of most of the code we began debugging our infrastructure. We used a few thousand devices randomly chosen for this purpose. We noticed at this time that one of the machines already had an unknown binary in the /tmp directory that looked suspicious. A simple strings command used on that binary revealed contents like synflood, ackflood, etc., the usual abuse stuff one would find in malicious botnet binaries (synflood and ackflood are typically used to perform Distributed Denial of Service {DDoS} attacks in order to disrupt a business or organization’s activities). We quickly discovered that this was a bot called Aidra, published only a few days before.

Aidra is a classic bot that needs an IRC C&C server. With over 250 KB its binary is quite large and requires wget on the target machines. Apparently its author only built it for a few platforms, so a majority of our target devices could not be infected with Aidra. Since Aidra was clearly made for malicious actions and we could actually see their Internet scale deployment at that moment, we decided to let our bot stop telnet after deployment and applied the same iptable rules Aidra does, if iptables was (sic) available. This step was required to block Aidra from exploiting these machines for malicious activity. Since we did not change anything permanently, restarting the device undid these changes. We figured that the collateral damage as a result of this action would be far less than Aidra exploiting these devices. (Aidra is one of the first widely used/mass replicated viruses by multiple authors because its source code was readily/freely available under an MIT license).

Some information noted in Peter Košinár’s presentation, Secret Life of Routers but not included in the research paper indicate that the prosumware Carna worm ran it’s own service over port 210 (not assigned to any major service) and closed external connections on ports 23 (Telnet) and 80 (HTTP). This prevented infection from outside the network while still allowing access from within the network.

So how big WAS the internet at the end of 2012?

Carna size of the internet
“So, how big is the Internet?
That depends on how you count. 420 Million pingable IPs + 36 Million more that had one or more ports open, making 450 Million that were definitely in use and reachable from the rest of the Internet. 141 Million IPs were firewalled, so they could count as “in use”. Together this would be 591 Million used IPs. 729 Million more IPs just had reverse DNS records. If you added those, it would make for a total of 1.3 Billion used IP addresses. The other 2.3 Billion addresses showed no sign of usage.”

In closing on the first prosumware botnet, I cannot recommend highly enough that every person read the published research results for themselves. For the author’s parting words “The binary stops itself after some time and most of the deployed versions have already done that by now. All of our initial goals as well as some extras like traceroute were achieved, we have completed, to our knowledge, the largest and most comprehensive IPv4 census ever. With a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.”

The end of Carna and emergence of Reincarna

Carna was suspended at the conclusion of the research project. The second widespread prosumware worm, dubbed “Reincarna” was created based upon the Carna prosumware and maintains many of the same properties. The story continues in Prosumware: Malware for the Insecure Part 2.

If you enjoyed this article you might also enjoy Why you don’t need to pay for antivirus software.

As always, if you enjoyed the content of the article or learned something useful; consider using some Bitcoin/Litecoin.

One thought on “

Prosumware: Malware for the Insecure

Leave a Reply

Your email address will not be published. Required fields are marked *