Persirai leads in botnet battle for connected cameras, researchers find

Persirai leads in botnet battle for connected cameras, researchers find

Persirai leads in botnet battle for connected cameras

Research conducted by security software company Trend Micro has identified four types of botnets affecting connected cameras.

The company used custom http servers to analyze the vulnerabilities of around 4,400 IoT-enabled cameras and found that just over half of them (51 percent) were infected with malware.

Hack opportunity

Persirai emerged as the most common type of botnet in Trend Micro’s research. An estimated 64.1 percent of the cameras were compromised by the botnet, the company revealed in a blog post on Thursday.

Discovered earlier in the year, this botnet compromises devices before stealing lucrative credentials and attacking other connected devices.

Writing in the blog post, the company’s researchers warned that an attacker is able to get access to passwords regardless of their strength. And that’s certainly worrying.

“One interesting feature of Persirai is that when it comprises an IP camera, that camera will start attacking others by exploiting three known vulnerabilities,” the company said.

“Through these vulnerabilities, the attacker will be able to get users’ passwords, and can deploy command injections, regardless of password strength.”

Other botnets

In addition to Persirai, three other common botnets were also detected, with the researchers finding cameras infected by Mirai (27.7 percent of those analyzed), DvrHelper (6.8 percent) and TheMoon (1.4 percent).

To create this study, the company used its own research, as well as the Shodan search engine, which helps identify connected devices. However, the company didn’t reveal when this analysis actually took place.

Mirai is probably the most well-known form of botnet, thanks to its use in the biggest DDOS attack in history last year

Since then, Trend Micro notes, the botnet has become more advanced. In October 2016, the developers behind the botnet published its source code, allowing others to create new and potentially more sophisticated versions.

Trend Micro’s researchers explained that Mirai is widening its distribution capabilities by making use of a Windows Trojan that can scan a wide range of network ports. 

Increasing threat from botnets

Since Mirai emerged, for example, a newer version has arrived on the scene: DvrHelper, detected by Trend Micro as ELF_MIRAI.AU, which according to the researchers, has advanced from its predecessor.

While companies around the globe have launched new DDoS prevention solutions following the Mirai attack, DvrHelper has upped the ante with eight more attack modules.

Trend Micro said it’s the first malware to compromise an anti-DDoS solution and boasts two methods to do so.

TheMoon, which Trend Micro calls ELF_THEMOON.B, is the oldest malware to target connected devices. It was first identified by SANS ICS in 2014 and continues to attack devices using updated attack methods.

“When we compared a newer version with an older variant, we noted that the C&C server port was changed. Also, in the later versions, a specific binary focuses on a specific vulnerability, and there are new iptables rules,” the firm wrote.

Read more: Dahua issues patches for internet-connected CCTV cameras

Action needed

Ken Munro, from ethical hacking company Pen Test Partners, told Internet of Business that connected devices commonly suffer from poor security and that action needs to be taken.

“IoT devices continue to exhibit common security flaws. Poor security on the mobile app, API or web interface, or on the radio frequency standard used to connect to the device all provide the attacker with an avenue to exploit in addition to weaknesses inherent in the hardware of the device,” he said.

“In terms of implications, it’s not just the device itself that’s at risk. IoT devices can be used to: compromise the network such as by leaking the PSK; carry out surveillance by capturing video and audio feeds; and, to manipulate the end user by enabling man-in-the-middle attacks.

“It doesn’t stop there, because IoT devices can also be infected not just with bot malware like Mirai but also ransomware. The Mirai malware that compromised thousands of devices last year signaled the beginning of IoT malware. Mirai was so successful because it was able to utilize the seldom used Telnet port.”

Read more: Search Lab finds numerous flaws in AVTech cameras and DVRs


Leave a Reply