New IoT malware targets 100,000 IP cameras via known flaw
Over 100,000 internet-connected cameras may be falling prey to a new IoT malware that is spreading through recently disclosed vulnerabilities in the products.
The malware, called Persirai, has been found infecting Chinese-made wireless cameras since last month, said security firm Trend Micro said. The malware does so by exploiting flaws in the cameras that a security researcher reported in March.
The researcher, Pierre Kim, found that the vulnerabilities can allow an attacker to remotely execute code on the cameras, effectively hijacking them.
Bug in place
At least 1,250 camera models produced by a Chinese manufacturer possess the bugs, the researcher went on to claim.
Over a month later in April, Trend Micro noticed a new malware that spreads by exploiting the same products via the recently disclosed flaws.
“It goes to show that the people behind this are probably more aware of how to use these vulnerabilities,” said Jon Clay, Trend Micro’s director of global threat communications.
The security firm estimates that about 120,000 cameras are vulnerable to the malware, based on Shodan, a search engine for internet-connected hardware.
The Persirai malware is infecting the cameras to form a botnet, or an army of enslaved computers. These botnets can launch DDoS attacks, which can overwhelm web sites with internet traffic, forcing them offline. Once Persirai infects, it will also block anyone else from exploiting the same vulnerabilities on the device.
Security firm Qihoo 360 has also noticed the malware and estimated finding 43,621 devices in China infected with it.
Interestingly, Persirai borrows some computer code from a notorious malware known as Mirai, which has also been infecting IoT devices, such as DVRs, internet routers, and CCTV cameras, but by guessing the passwords protecting them.
Specifically, Persirai lifts certain functions Mirai relies on to scan the internet for new devices to infect, said Marshal Webb, CTO of BackConnect, a DDoS protection provider.
Although the resulting Persirai-powered botnet is capable of launching DDoS attacks, it has largely refrained from assaulting any web sites for the moment, probably because the malware developers are still testing how to use it.
“The security researcher, a white hat, may have had the best intentions with releasing a full disclosure on these vulnerabilities,” Webb said. “But now they’re just out there, making it convenient for anyone to exploit.”
The researcher, Pierre Kim, didn’t immediately respond to a request for comment, but he noted “difficulties” with finding and contacting all the vendors involved, in a blog post about the disclosure.
However, Trend Micro has identified the primary Chinese manufacturer behind the cameras and is working with it to roll out a patch.
The security firm is declining to name the manufacturer until the patch is published. Until then, it is hard to know what exact products and brands may be vulnerable, since so many models appear to be affected.
However, owners can protect a vulnerable device by placing it behind a firewall, and blocking access to the malware’s command and control servers, which are located in Iran. Trend Micro has provided more technical details to Persirai in a blog post.