Origin of the beasties: Mirai botnet missing link revealed as DVR player

CCTV cameras? You've been looking in the wrong place

Security researchers have discovered a "missing link" in the Mirai botnet that may prompt a rethink in what makes up the zombie network.

The release of Mirai's source code in early October revealed that malware scans for telnet before attempting to hack into devices, using a brute-force attack featuring 61 different user/password combinations.

Security researchers including Brian Krebs have been able to match this list, with a few exceptions, against the default credentials of various IoT devices. One view, espoused by DDoS mitigation outfit Imperva Incapsula, was that CCTV cameras made up the bulk of the zombie horde with DVRs and routers playing a supporting role.

New research casts further doubt on this diagnosis, already questioned by US telco Level 3, which estimated four in five Mirai bots are DVRs with the rest being routers and other miscellaneous devices, such as IP cameras and Linux servers.

UK-based security consultancy Pen Test Partners (PTP) discovered that a DVR device they recently bought was vulnerable to a previously unassigned credential pair on the Mirai hit list. "That means that the Mirai authors knew about the default credentials for this DVR, but no one else seemed to," PTP reasons.

Some of the attributed devices were CCTV cameras, which generally offer less functionality than DVR devices and therefore might make them a less flexible attack platform. Looking deeper, PTP uncovered evidence that the conventional wisdom that Mirai is mostly CCTV cameras might be wrong.

"On further digging, we found that all the cameras we looked at were running near-identical code to the DVRs and ran the 'dvrHelper' process, as did the DVRs we looked at," a blog post by PTP explains. "The reason the cameras were vulnerable is that they were running an uncustomised version of the DVR software, rather than being targeted specifically because they were cameras."

A similar rationale has led PTP to posit that neither RealTek routers nor Panasonic printers are being exploited by Mirai. "Whilst the default creds are the same, it's a coincidence," according to PTP. "We think it's more likely that the RealTek devices in question are from their DVR range, particularly as they are often rebadged and rebranded.

"Mirai is more to do with DVRs than CCTV cameras. Some have claimed that they've seen Mirai traffic from devices that weren't DVRs or cameras. We've been running a Mirai honeypot for some time. Whilst we've seen scans from routers and other devices attempting these same default credentials, none of them have then tried to exploit our honeypot in the same way as Mirai.

"We think it's more likely that there is code out there that is similar to Mirai doing this, but it's not Mirai."

“That L3 report links back to Brian Krebs list of attributed devices, which we think we where the confusion about routers, printers & VoIP phones has arisen from,” Pen Test Partner’s Ken Munro told El Reg Reg. “We aren't saying that Mirai isn't about CCTV - it's more of a coincidence that it affects cameras. It's the unnecessary DVR functionality in these cameras which is the root of the problem.”

Dima Bekerman, Imperva security researcher for the Incapsula product line, commented: “We can’t be 100% sure of what type of devices where most prevalent in the latest Mirai DDoS attacks. It is difficult to distinguish between a DVR and a CCTV device at a technical level.

"This is because the firmware used by manufactures for DVD boxes and for camera plus DVR in a single box are similar and have the same fingerprint. For example, your baby camera may combine with your DVR to store recorded video. Or your home security system may include many cameras all tied to one DVR connected to the web and vulnerable to Mirai.

"Mirai uses the default credentials in the operating system to penetrate the device and recruit it into the BotNet. It does this without regard for the intended task of the system be it to capture the image (camera), store the recorded video (DVR), control the system (Web interface controller).” ®

Similar topics

Broader topics

Other stories you might like

  • Cloudflare says it thwarted record-breaking HTTPS DDoS flood
    26m requests a second? Not legit traffic, not even Bill Gates doing $1m giveaways could manage that

    Cloudflare said it this month staved off another record-breaking HTTPS-based distributed denial-of-service attack, this one significantly larger than the previous largest DDoS attack that occurred only two months ago.

    In April, the biz said it mitigated an HTTPS DDoS attack that reached a peak of 15.3 million requests-per-second (rps). The flood last week hit a peak of 26 million rps, with the target being the website of a company using Cloudflare's free plan, according to Omer Yoachimik, product manager at Cloudflare.

    Like the attack in April, the most recent one not only was unusual because of its size, but also because it involved using junk HTTPS requests to overwhelm a website, preventing it from servicing legit visitors and thus effectively falling off the 'net.

    Continue reading
  • EnemyBot malware adds enterprise flaws to exploit arsenal
    Fast-evolving botnet targets critical VMware, F5 BIG-IP bugs, we're told

    The botnet malware EnemyBot has added exploits to its arsenal, allowing it to infect and spread from enterprise-grade gear.

    What's worse, EnemyBot's core source code, minus its exploits, can be found on GitHub, so any miscreant can use the malware to start crafting their own outbreaks of this software nasty.

    The group behind EnemyBot is Keksec, a collection of experienced developers, also known as Nero and Freakout, that have been around since 2016 and have launched a number of Linux- and Windows-based bots capable of launching distributed denial-of-service (DDoS) attacks and possibly mining cryptocurrency. Securonix first wrote about EnemyBot in March.

    Continue reading
  • International operation takes down Russian RSOCKS botnet
    $200 a day buys you 90,000 victims

    A Russian operated botnet known as RSOCKS has been shut down by the US Department of Justice acting with law enforcement partners in Germany, the Netherlands and the UK. It is believed to have compromised millions of computers and other devices around the globe.

    The RSOCKS botnet functioned as an IP proxy service, but instead of offering legitimate IP addresses leased from internet service providers, it was providing criminals with access to the IP addresses of devices that had been compromised by malware, according to a statement from the US Attorney’s Office in the Southern District of California.

    It seems that RSOCKS initially targeted a variety of Internet of Things (IoT) devices, such as industrial control systems, routers, audio/video streaming devices and various internet connected appliances, before expanding into other endpoints such as Android devices and computer systems.

    Continue reading
  • Man gets two years in prison for selling 200,000 DDoS hits
    Over 2,000 customers with malice on their minds

    A 33-year-old Illinois man has been sentenced to two years in prison for running websites that paying customers used to launch more than 200,000 distributed denial-of-services (DDoS) attacks.

    A US California Central District jury found the Prairie State's Matthew Gatrel guilty of one count each of conspiracy to commit wire fraud, unauthorized impairment of a protected computer and conspiracy to commit unauthorized impairment of a protected computer. He was initially charged in 2018 after the Feds shut down 15 websites offering DDoS for hire.

    Gatrel, was convicted of owning and operating two websites – DownThem.org and AmpNode.com – that sold DDoS attacks. The FBI said that DownThem sold subscriptions that allowed the more than 2,000 customers to run the attacks while AmpNode provided customers with the server hosting. AmpNode spoofed servers that could be pre-configured with DDoS attack scripts and attack amplifiers to launch simultaneous attacks on victims.

    Continue reading
  • Malaysia-linked DragonForce hacktivists attack Indian targets
    Just what we needed: a threat to rival Anonymous

    A Malaysia-linked hacktivist group has attacked targets in India, seemingly in reprisal for a representative of the ruling Bharatiya Janata Party (BJP) making remarks felt to be insulting to the prophet Muhammad.

    The BJP has ties to the Hindu Nationalist movement that promotes the idea India should be an exclusively Hindu nation. During a late May debate about the status of a mosque in the Indian city of Varanasi – a holy city and pilgrimage site – BJP rep Nupur Sharma made inflammatory remarks about Islam that sparked controversy and violence in India.

    Continue reading
  • AMD refreshes Ryzen Embedded line with R2000 series
    The target? Thin clients and industrial devices – with new SoC family running up to 4 independent displays

    Embedded World AMD is bringing to market a new generation of Ryzen chips for embedded apps promising more CPU cores, enhanced built-in graphics and expanded I/O connectivity to drive kit such as IoT devices and thin clients.

    Crucially, AMD plans to make the R2000 Series available for up to 10 years, providing OEM customers with a long-lifecycle support roadmap. This is an important aspect for components in embedded systems, which may be operating in situ for longer periods than the typical three to five-year lifecycle of corporate laptops and servers.

    The Ryzen Embedded R2000 Series is AMD's second-generation of mid-range system-on-chip (SoC) processors that combine CPU cores plus Radeon graphics, and target a range of embedded systems such as industrial and robotic hardware, machine vision, IoT and thin client devices. The first, R1000, came out in 2019.

    Continue reading

Biting the hand that feeds IT © 1998–2022