trend micro has a new Persirai . It consists solely of IP cameras. In total, more than 1000 different camera models, which are based on products of original equipment manufacturer (OEM), are vulnerable for the Persirai malware. According to the researchers, the pirated cameras are similar to when the botnets Mirai and Hajime used for distributed-denial-of-service attacks (DDoS). “-botnet called discovered
by Gerätesuchmaschine SHODAN trend micro found worldwide around 120,000 IP cameras, which theoretically add themselves to the Persirai botnet. The company expects that many of the users concerned do not even know that their cameras over the Internet are vulnerable.
the backers of Persirai access to go to the Web interface of the cameras about the open TCP port 81 as well as a zero-day gap to, which allows them, the query of data. “After signing up, the attacker can inject commands and force the IP camera to connect with a download site”, it says in the trend-micro-blog. After that a malicious shell script will downloaded and executed, whereby the actual malware in memory remain, what hinders a discovery.
the chopped cameras finally make contact with a command server of the attacker. Additionally, they receive the instructions required for the DDoS attacks. The server use the top-level domain “IR”, which might be given out by an Iranian Research Institute and was limited to Iranian citizens, as trend micro. In addition, the malware code contained some special Persian characters.
in addition, the hackers block also the zero-gap of day, to prevent that other attackers hijack the already compromised cameras. Trend micro according to a restart of the cameras stopped a running attack though, the zero-day gap will open randomly but again. Hackers could so once again try to take control.
discovered the zero day gap was already early March security researcher Pierre Kim . He registered 1250 affected camera models and 185,000 vulnerable cameras at the time. Trend micro indicates that a firmware update with a patch available should stand for a camera of its researchers tested according to the manufacturer. However, the camera reported it is already the latest firmware installed.
[withmaterialfromDannyPalmer ZDNet.com ]
Tip: how well do you know the history of computer viruses? Check your knowledge – with 15 questions on silicon.de .