Analyzing #ASUSGATE

So, I guess you backup all your important information regularly. Automatically and with heavy encryption. On several mirrored locations. That’s great, because not many people do.

My following question would be, ‘Which files do you backup?’ The most important ones, of course.

This is why the so-called Asusgate is a problem. (I wrote a post about ASUS routers that shared LOADS of private information on the internet without their owners’ knowledge.) Your goal is to keep the data safe, but Asusgate points out that many people have no idea of how to keep data safe.

The short version of the story, is that people plug in a USB drive into their ASUS router, in order to store backups, and allow for local file sharing. Little do they know, if they just click next-next during the setup, they also allow full access to all their files via anonymous FTP from the Internet.

Recently, someone released a pack called “ASUSGATE: A story about thousands of crimeless victims” containing “6536 complete and 3605 partial lists of files shared from these ASUS routers”. There are also a bunch of usernames and passwords (3131) for AiCloud, ASUS file sharing service, since there’s also an exploit to get those in plain text.

In the data, there are a bunch of zero-sized files (774 of them), and some marked as “partial” (3605) meaning they have no, or not all, data. This could happen because the user has disabled the fully-open FTP access, the IP address got changed, or because the FTP server was overloaded.

When TechWorld and PCWorld Norway broke the news the first time, I got hold of some other file lists. I started by cleaning up all empty files, and then merged the old list with these new lists. This means that I will treat partial lists as if they are complete, for simplicity. This made me end up with a total of 8774 open routers, occupying a nice 15 gigabytes of just file names(!) from peoples NAS drives.

First, lets look at the most obvious data.. where are these routers located?

There’s a huge number of publicly accessible drives in the United States. At least 3617 of them. Four times the number of the runner-up Russia with 910 shared drives. Since all this data is based on Shodan and the like, and manual scanning, many devices will also be missed. But all these were open, and had files on them, during scanning.

Now, what else is interesting? These drives are almost exclusively used for local file sharing, and backups, so of course the file types are interesting!

In total, there are nearly 165 million files (164,838,345) that people have, presumably unknowingly, made available to everyone.

There’s almost 75 million images (45.40% of all files) shared. This might not be too weird since people are storing their backups on their NAS drives.

But, what other “important” files are there?

“Private” images
These kinds of files were the first I saw being distributed in a few forums. Horrible.

Bitcoin wallets
I assume that they are either emptied already, or someone running password-cracking on them if they were protected.

Stored passwords
Browsers, FTP-clients, etc allow you to remember usernames and passwords. Easy way to access account information by just downloading the files the credentials are stored in.

Remote desktop connection files
Same here. There are a big bunch of them, containing at least server information, and some probably contain stored passwords also.

Password storage software
Software like KeePass, PasswordSafe, 1Password, etc allows the user to safely store multiple passwords, protected by a single password. There are a bunch of these files also. People still need to have a secure password, otherwise they can be easily brute-forced, giving access to all other passwords.

Oh, and just for fun, I decided to see what folders people hide their porn in…

I ran this rather cryptic command (bonus points if you understand it…):

curl -s |
sed -nr 's/.+straight\/([[:alnum:]]+)\+([[:alnum:]]+).+/\1 \2/p' |
grep -v 'know\|dad\|old\|first\|do\|and\|my\|full\|money\|cze\|gone\|bang' |
grep -f - *.dirlist | grep '\.avi\|\.mp[gv4]\|\.wmv' |
sed -nr 's/^[^\\/]+\/[^\\/]+\/(.+)\/.+\/.+/\1/p' |
grep -v 'torrent\|porn\|porr\|video\|film\|download' |
grep -e '.\{4,\}'

… which gave me (among others) these funny/creative folder names where people have hidden their porn:

/1997 tax return/
/entertainment/everybody loves raymond/
/hdd software/system files/run.exe/
/ljudbok/douglas adams - liftarens guide till galaxen/liftaren/
/movies/a good day to die hard (2013)/die well/
/seagate system files/internal/
/system operating memory/system memory/system memory/11211223633/sistema/
/visual aids/
/warrick's folder/carport project/
/wd utilities/wd smartware for mac/drafts/

Leave a Reply

Your email address will not be published. Required fields are marked *