Your Fly Is Open

Netmenaces and Other Internet Stupidity

Mirror, mirror on the 'Net...

2016-05-09 3 min read attacks

…just how stupid can they get?

I am a generous and thoughful person.

Really. I am. (Seriously… would a generous and thoughtful person lie to you about that?)

I’ve taken it upon myself to create and provide the Internet with a much-needed service that I like to call Tom’s Telnet Mirror™

It works like this:

  • You need to test to see if telnet - on your own system - is working and accessible from the Internet
  • Unfortunately, you don’t have any other system available from which to perform your testing
  • “Oh… woe is me,” you cry, “what am I going to do?”
  • Suddenly, you remember Tom’s Telnet Mirror™ and your day gets just a little better

You see, Tom’s Telnet Mirror™ is the only full-featured telnet mirroring service you’ll ever need. When it senses an inbound telnet connection - and the TCP three-way handshake completes, it creates a new, outbound connection right back to you. If that connection is accepted, then anything you send to the mirror goes right back to your system. PROBLEM SOLVED! You can test your Internet-connected telnet system right from the system itself!

    “Thank you, Tom’s Telnet Mirror™, for making my life so much easier”
                                                            -A satisfied Tom’s Telnet Mirror™ user

Now, having created and deployed this boon to Internet users everywhere, I’ve discovered what might be a little problem. You see, apparently, there are less than forthright people on the Internet that are ATTACKING others via telnet (who knew?!?) and sometimes - for reasons that I’ve yet to fully understand - those unsavory individuals target ME! (Can you believe it? Me!?!? And I’m such a generous and thoughful person - see above.)

When these Internet scamps attempt to attack Tom’s Telnet Mirror™ something odd happens. Sometimes, they manage to log right back into their own system and… well… 0wn their system.

We here at YourFlyIsOpen.com are, understandably, somewhat dismayed by this turn of events. Having invested considerable time, effort, and financial resources into the creation of a much-needed Internet service, we find ourselves stymied by ‘Net miscreants who insist on, essentially, shooting themselves in the foot. For the time being, we’ve decided that we won’t publish information on the availability of Tom’s Telnet Mirror™ until such time as we’re able to safely deploy it in manner that cannot be abused by those we deem “netmenaces” to hurt themselves. In the meanwhile, we intend to monitor our test deployment of the mirror, try to think (for, at least, a few seconds each day) of some way to fix it, and laugh ourselves silly any time we see something like this:

Self-unawareness

Here, we see someone’s stoopid scripted attack logging back into the system that it came from (an Internet-connected DVR, likely used for surveillance cameras - thank you IoT!) using the DVR’s default root password (unchanged default account credentials FTW!) and running through the steps to re-0wn itself.

Self-0wning

And here, we see the final results of that script re-0wning the system. If you look at the bottom of the captured telnet traffic, you can see that the attack script has re-created and relaunched KTN “Remastered”, version 2.2 (a known IoT malware - and is it just me or aren’t the attackers so darned cute when they do version control like they’re legit programmers?) in the background on the same device from which the attack sourced.

-TL
Tom Liston
Owner, Principal Consultant
Bad Wolf Security, LLC
Mastodon: @tliston@infosec.exchange
Twitter: @tliston
May 9, 2016