Bot-herding software called Persirai, which incorporates pieces of the Mirai botnet code, can commandeer significant chunks of a known 150,000 IP cameras that are vulnerable to Mirai and use them to fire off distributed denial-of-service attacks.
The Persirai botnet has attacked at least four targets, starting in a predictable pattern, according to researchers at Trend Micro.
Persirai takes advantage of a known vulnerability in the cameras to infect them, has them download malware from a command and control server, and then puts them to work either infecting other vulnerable cameras or launching DDoS attacks. “Based on the researchers’ observation, once the victim’s IP Camera received C&C commands, which occurs every 24 hours at 12:00 p.m. UTC, the DDoS attacks start,” the researchers say.
They say they have identified at least four victims of the DDoS attacks, but can’t disclose who they are.
Once the malware has been downloaded, it runs in memory and deletes itself from the hard drive, Trend says, so if the devices reboot, they are rid of the infection. As a result, attackers are constantly searching for and reinfecting cameras.
More than 1,000 individual camera models made by multiple manufacturers are vulnerable to the attack, Trend says. “At the time of the initial discovery, around the first and second week of April, about 150,000 cameras were in use by the botnets,” the researchers say. “However, the latest results show around 99,000 as of May 10.” IoT search engine Shodan identifies about 120,000 cameras as vulnerable.
Here’s a possible hint at who wrote Persirai, according to Trend: “C&C servers we discovered were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. We also found some special Persian characters which the malware author used.”
How Persirai gets into the cameras is spelled out by independent researcher Pierre Kim. “The ‘Cloud’ protocol establishes clear-text UDP tunnels (in order to bypass NAT and firewalls) between an attacker and cameras by using only the serial number of the targeted camera. Then, the attacker can automatically bruteforce the credentials of cameras,” he writes.
Kim says the vulnerability exists in 1,250 camera models that are all based on hardware OEMed to the various brands that sell them. “So, cameras are sold under different names, brands and functions,” Kim writes. “The HTTP interface is different for each vendor but shares the same vulnerabilities. The OEM vendors used a custom version of GoAhead [embedded Web server] and added vulnerable code inside.”
AlienVault posts here that Persirai incorporates some Mirai code. “This botnet borrows partial code such as port scanning module from the Mirai, but it is completely different from Mirai in terms of infect chain, C2 communication protocol, attack module and so on. Although the binary names have Mirai mentioned it is probably not wise to treat it just as a Mirai variant,” AlienVault says.
Kim has this recommendation: “I advise to IMMEDIATELY DISCONNECT cameras to the Internet.”