Flattr this!

Analyst in Information Security Parth Shukla at the conference AusCERT prepared an interesting presentation dedicated to botnet Carna. Recall that it was through this global botnet that the largest scan of the Internet was carried out for research purposes – Internet Census 2012.


For ten months of 2012, all IP-addresses in the address space of IPv4 were scanned, in which there are more than 420,000 vulnerable devices that are operated in power saving mode. Scanning included newsletter service packages for all popular port numbers, ICMP-ping, reverse lookup DNS (host name query by IP-address) and request SYN (connection request via TCP). The scan results are published in the public domain: 9 terabytes of logs.

For the above presentations from the botnet Crana data was extracted directly from the author of the anonymous hacker base of 1.2 million vulnerable devices on the Internet, 30% of which in his time were included in Carna botnet and used to make a global scan.

Each of the 1.2 million devices meet the following criteria:

Directly accessible via the Internet.
Telnet is working with the default port of 23, without a firewall.
Allows access through standard username / password: admin: admin, admin: password, root: password, etc.
In 420 thousand bots are only those of the devices that meet the minimum requirements for RAM and CPU load and allow arbitrary binary code.

The extracted database contains MAC-and IP-addresses of all vulnerable devices, manufacturer name, memory capacity, the result of uname-a and / proc / cpuinfo , as well as the country code.

After eliminating duplicates in the database remains 1,285,192 entries.

200 countries
2058 Device Manufacturers
3881 version of RAM
10871 unique uname
35997 unique CPU
787 665 unique IP-networks (C-class)

The distribution of vulnerable devices by country


The distribution of vulnerable devices by manufacturer