IP cameras are a common target for botnets. There is significant competition between different malware families. Each has its own unique set of features, but all aim to build defenses to block other malware from taking over their turf. Each piece of malware also takes advantage of open Universal Plug and Play (UPnP) ports on IP cameras to infect them.
“Business users need to be aware that IoT devices like cameras are potential attack vectors,” Mark Nunnikhoven, vice president of cloud research at Trend Micro, told Dark Reading. “Even if the device doesn’t have valuable data, it might be connected to valuable resources, like bandwidth, or provide access to internal networks.”
Last year, analysis by TrendMicro of 4,400 IP cameras that use custom HTTP servers in the U.S. found that just over 51% are infected by one of the four IoT botnet malware families.
Last year, a new IoT botnet called Persirai began to be talked about. The new botnet targets over 1,000 camera IP models based on multiple original equipment (OEM) products. A Shodan scan run by the TrendMicro researchers discovered that there are over 120,000 IP cameras vulnerable to Persirai worldwide.
According to TrendMicro and Shodan, 64% of tracked IP cameras with custom HTTP servers have been infected by Persirai. It was able to capitalize on the learnings of older malware families, and thereby discover new strategies to infect their targets.
One particularly dangerous feature of Persirai is that when it compromises an IP camera, its target will start to attack other cameras by exploiting three known vulnerabilities in a custom http server provider: (i) login.cgi –attackers can use this to bypass authentication and get the admin password; (ii) set_ftp.cgi – once the attacker knows the admin password, s/he can use this for malware deployment and command injections; (iii) CVE-2014-8361– this vulnerability allows remote attackers to run arbitrary code through a crafted New Internal Client request.
Once Persirai is on an IP camera, the malware connects to a command-and-control server and downloads software for attacking other specific targets.
Mirai made headlines and brought a consciousness of IoT botnets into the mainstream. According to the TrendMicro study, 28% of the cameras were found infected by Mirai. First witnessed in the summer of 2016, Mirai successfully launched what were then the largest DDoS attacks in history. After its creators released the source code online in October 2016, a huge number of copycat attacks followed.
There are two main parts to Mirai: the virus itself and the command and control center (CnC). The CnC controls the compromised devices, sending them instructions to launch attacks while the virus itself spreads the attack vectors. Mirai has ten vectors it can launch and a scanner process that seeks out other exploitable devices.
Mirai frequently targets IP cameras; and is always seeking to widen its distribution capabilities, in part by scanning widely for open ports, including the following: 22 (SSH), 23 (Telnet), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP).
DvrHelper is a new variant of Mirai that has built on the learnings of its predecessor. TrendMicro found it had infected around 7% of the IP cameras in its study. DDoS prevention solutions have been surfacing to combat Mirai since its rise in 2016. To match that increase, DvrHelper also has eight more DDoS attack modules than Mirai. It is the first malware built to bypass an anti-DDoS solution; DvrHelper has two methods that aim to bypass DDoS defense from a particular CDN that also offers DDoS prevention.
TheMoon is the oldest malware family that targets IoT devices. It was first discovered in 2014 by SANS ICS, but it continues to be in operation today with upgrades and variants that target new vulnerabilities. It has a comparatively much smaller infection presence, at just over 1% according to TrendMicro.
Following infection of a device, iptables rules will be imported to that device, which build a wall to stop other malware from infecting it. Each port that TheMoon targets is mapped to a specific device and vulnerability; and the main target is IP cameras. Once the infection is complete, the installation script is replaced with a string, reading: “ne kemi mbaruar!”, which translates as “We’re done!” in Albanian.
The majority of the compromised cameras were infected by the Persirai botnet. All the botnets are mainly being used to launch DDoS attacks against specific targets. Some of the largest Mirai-enabled DDoS attacks in 2016 generated over 1 TBP of attack traffic. Botnets built from IP cameras have been responsible for three of those huge DDoS attacks, says Nunnikhoven.
“So far, we haven’t seen much impact to the devices themselves,” he says. “Attackers are very much seeing these devices as bandwidth resources for much larger attacks.” Manufacturers need to start implementing better security practices, Nunnikhoven says; starting by eliminating default passwords and ensuring that remote access is disabled.
Current development practice seems to expect that these devices live in a vacuum” he said, “but they don’t.”