Carna botnet explained

The Carna botnet was a botnet of 420,000 devices created by an anonymous hacker to measure the extent of the Internet in what the creator called the “Internet Census of 2012”.

Data collection

The data was collected by infiltrating Internet devices, especially routers, that used a default password or no password at all.^{[1] [2]} It was named after Carna, "the Roman goddess for the protection of inner organs and health".^[3]

Collected data was compiled into a GIF portrait to display Internet use around the world over the course of 24 hours. The data gathered included only the IPv4 address space and not the IPv6 address space.^{[4] [5]}

The Carna Botnet creator believes that with a growing number of IPv6 hosts on the Internet, 2012 may have been the last time a census like this was possible.^[3]

Results

Of the 4.3 billion possible IPv4 addresses, Carna Botnet found a total of 1.3 billion addresses in use, including 141 million that were behind a firewall and 729 million that returned reverse domain name system records. The remaining 2.3 billion IPv4 addresses are probably not used.^[6]

An earlier first Internet census by the USDHS LANDER-study had counted 187 million visible Internet hosts in 2006.^{[7] [8]}

Further implications

The data provided by the Carna botnet was used by security researcher Morgan Marquis-Boire to determine in how many countries FinFisher spyware was being used. The use of such legally-gray data to conduct open source analysis raised questions for some, but Marquis-Boire expressed a belief that data is data. "I consider this more like rogue academia rather than criminal activity," he told Wired Magazine.^[9]

Number of hosts by top level domain

Amongst other, Carna Botnet counted the number of hosts with reverse DNS names observed from May to October 2012. The top 20 Top Level Domains were:

Number of hosts[10]	Top Level Domain
align=right	374,670,873	align=center	.net
align=right	199,029,228	align=center	.com
align=right	75,612,578	align=center	.jp
align=right	28,059,515	align=center	.it
align=right	28,026,059	align=center	.br
align=right	21,415,524	align=center	.de
align=right	20,552,228	align=center	.cn
align=right	17,450,093	align=center	.fr
align=right	17,363,363	align=center	.au
align=right	17,296,801	align=center	.ru
align=right	16,910,153	align=center	.mx
align=right	14,416,783	align=center	.pl
align=right	14,409,280	align=center	.nl
align=right	13,702,339	align=center	.edu
align=right	11,915,681	align=center	.ar
align=right	9,157,824	align=center	.ca
align=right	8,937,159	align=center	.uk
align=right	7,452,888	align=center	.se
align=right	7,243,480	align=center	.tr
align=right	6,878,625	align=center	.in

See also

• BASHLITE
• Mirai (malware)
• Remaiten
• Linux.Darlloz
• Linux.Wifatch
• Hajime (malware)

External links

• Internet Census 2012: Port scanning /0 using insecure embedded devices, Carna Botnet, June — October 2012
• All of the data can be found on GitHub, BitBucket, SourceForge, and Internet Archive.

Notes and References

1. News: Stöcker . Christian . Horchert . Judith . Mapping the Internet: A Hacker's Secret Internet Census . Spiegel Online . 2013-03-22 .
2. News: Kleinman . Alexis . The Most Detailed, GIF-Based Map Of The Internet Was Made By Hacking 420,000 Computers . Huffington Post . 2013-03-22 .
3. http://internetcensus2012.bitbucket.org/paper.html Internet Census 2012: Port scanning /0 using insecure embedded devices
4. News: Read . Max . This Illegally Made, Incredibly Mesmerizing Animated GIF Is What the Internet Looks Like . Gawker . 2013-03-21 . dead . https://web.archive.org/web/20130324015330/http://gawker.com/5991667/this-illegally-made-incredibly-mesmerizing-animated-gif-is-what-the-internet-looks-like?utm_campaign=socialflow_gawker_facebook&utm_source=gawker_facebook&utm_medium=socialflow . 2013-03-24 .
5. News: Thomson . Iain . Researcher sets up illegal 420,000 node botnet for IPv4 internet map . The Register . 2013-03-19 .
6. https://arstechnica.com/security/2013/03/guerilla-researcher-created-epic-botnet-to-scan-billions-of-ip-addresses/ Guerilla researcher created epic botnet to scan billions of IP addresses
7. http://www.isi.edu/~johnh/PAPERS/Heidemann07c.pdf Exploring Visible Internet Hosts through Census and Survey
8. http://www.spiegel.de/netzwelt/web/carna-botnet-internet-zensus-mit-hacker-methoden-a-890225.html Forschung mit illegalem Botnetz: Die Vermessung des Internets
9. Is It Wrong to Use Data From the World's First 'Nice' Botnet?. https://web.archive.org/web/20161222105713/https://www.wired.com/2013/05/internet_census/. 2016-12-22. Robert . McMillan . . 2013-05-15.
10. Web site: Top Level Domains. Internet Census 2012 . 2013-05-16 . https://web.archive.org/web/20130515041758/http://internetcensus2012.bitbucket.org/tld_overview.html . 2013-05-15 . dead .