Amnesia malware turns DVRs into botnet slaves
Distribution of vulnerable DVR devices from TVT Digital [Credit: Palo Alto Networks]

Amnesia malware turns DVRs into botnet slaves

Tsunami malware variant looks for vulnerable IoT devices to form botnet

IT security researchers have uncovered a new strain of malware that targets digital video recorders (DVRs), turning them into botnet slaves.

According to a blog post from IT security company Palo Alto Networks, a new variant of the IoT/Linux botnet Tsunami, which it calls Amnesia, targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in DVR  devices manufactured by TVT Digital and branded by over 70 vendors worldwide.

This vulnerability affects approximately 227,000 devices around the world with Taiwan, the US, Israel, Turkey, and India being the most exposed.

Virtual machine evasion

Researchers believe that the malware is one of the first to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. If it detects a virtual machine, it will wipe the virtualized Linux system by deleting all the files in the file system.

Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems.

“A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall 2016,” write the researchers.

Read more: Security researchers find backdoor in Chinese IoT devices

Lack of response

Palo Alto Network’s researchers said that even though this vulnerability was originally disclosed way back in March 2016, they have been unable to find updates that fix it, despite their best efforts.

“While the Amnesia botnet hasn’t yet been used to mount large-scale attacks, the Mirai botnet attacks show the potential harm large-scale IoT-based botnets can cause,” said the researchers.

Palo Alto Networks said that, in case of Amnesia, because the malware relies on hard-coded C2 addresses, preventing another Mirai-type attack is possible if these addresses are blocked as broadly and as quickly as possible.

Cris Thomas, strategist at IT security company Tenable Network Security, told Internet of Business that ensuring security is built into these devices early on is critical, however, the challenge for device manufacturers is balancing speed, cost and quality.

“Both consumer and enterprise buyers want the best quality, and they want it now. To meet those demands, manufacturers must streamline the development process, and oftentimes, this includes reusing technologies, or not building security into the product in the first place. Consequently, defects are passed down from one generation to the next,” he said.

Read more: IoT sex toy data security fails to hit the spot