When threat actors see a good thing they’re not shy about piling on. Unsecure IP-connected surveillance cameras are a good example.
According to a blog today from Trend Micro researchers there are four malware families in the wild now targeting these devices, each trying to build the biggest Internet of Things botnet.
The financial opportunity is big enough that their code includes capabilities that attempt to block their competitors.
The most recently discovered of the quartet is what Trend Micro calls Persirai, which targets over 1,000 camera models. Through Shodan and research the authors believe 64 per cent of tracked IP cameras in four countries, including the U.S., with custom http servers are infected with Persirai.
Just over half of the cameras in the U.S. that Trend Micro looked at had been infected by at least one of the malware.
What is concerning about Persirai is that allows attackers to bypass authentication and get the admin password.
“One interesting feature of Persirai is that when it compromises an IP camera, that camera will start attacking others by exploiting three known vulnerabilities,” the blog says. More detail on Persirai can be found here.
Arguably the most well known of the malware is Murai, which last year was behind the biggest distributed denial of service (DDoS) attack seen so far, with one flood peaking at 623 Gbps.
A newer version of Mirai, which has been dubbed DvrHelper, has eight more attack modules than its predecessor. It is also the first malware designed to bypass an anti-DDoS solution from an unnamed content delivery network that also provides DDoS prevention services. One way it does that is by taking advantage of the challenge-response policies of the provider. Briefly, when the bot sends a request to target’s website and gets a challenge request in JavaScript, embedded JavaScript code is extracted and sent to the command and control (C&C) server. The C&C server will execute JavaScript code and respond with a result (answer). That response and other information are combined and a response request is sent to the DDoS protection provider to get a valid cookie and user-agent for the following DDOS attack.
The other way of getting around a defence uses a shared “Google reCAPTCHA response” token, as sketched in the Trend Micro graphic below.
When the bot sends a request to the command and control URL and gets a valid (shared) Google reCAPTCHA response token it sends a request with the token to the validator URL and gets two valid cookies. With the information, the bot attempts to bypass DDOS protection.
The fourth
Finally, there is malware called TheMoon, first discovered by SANS ICS in 2014, whose authors continues to upgrade attack methods and target new vulnerabilities.
“Many of these attacks are caused by a simple issue: the use of default passwords in the device interface,” says Trend Micro. “As soon as possible, IP camera users should change their passwords and follow best practices for creating a strong password—use at least 15 characters, with both uppercase and lowercase letters, numbers, and special characters.
IP camera owners should also disable Universal Plug and Play on their routers to prevent devices within the network from opening ports to the external Internet without any warning, says the column.