The Reigning King of IP Camera Botnets and its Challengers

By Kenney Lu, Tim Yeh and Dove Chiu (Threats Analysts)

Early this month we discussed a new Internet of Things (IoT) botnet called Persirai (detected by Trend Micro as ELF_PERSIRAI.A), which targets over 1000 Internet Protocol (IP) camera models. Currently, through Shodan and our own research, we see that 64% of tracked IP cameras with custom http servers are infected with Persirai. But, because these cameras are such common targets, there is some competition between malware.

We find that there are four different malware families which all focus on IP cameras. Each one has its own unique features, but since the pool of targets is finite they all compete for territory and build defenses to block rival malware.

Name Attac-king since First Seen Self
Defense
Propagation
Methods
Special
Features
Main Target
TCP Port
Persirai 2017/04 2017 Yes SSDP
Web
>Spread by SSDP vulnerability in LAN

>Built-in Webcam exploits function

81
DvrHelper 2017/03 2016 No Telnet

Web

> The same as Mirai function.

> Layer7 DDOS (1)

80
Mirai 2017/02 2016 No Telnet

Web

Others (2)

>DDoS Type:

GRE IP/GRE ETH/SYN/ACK/STOMP/DNS/UDP

81
TheMoon 2017/02 2014 Yes Telnet

Web (Include Linksys)
SOAP RCE

Asus.infosrv.UDP

>P2P Communication (Multi C&C)

>External Socks5 Module

>Support Plug-In

80
Note:
(1) Layer 7 DDoS was copied from existing Python script
(2) Mirai variants spread through multiple methods

Figure 1. Overview of IP camera malware families

Persirai

In the aftermath of 2016 (the year of record breaking distributed denial-of-service (DDoS) attacks from compromised IoT), the authors of Persirai had the benefit of seeing what worked for older malware families and finding new strategies to infect their targets. Our post in early May already detailed the inner workings of Persirai, including the infection flow.

One interesting feature of Persirai is that when it compromises an IP camera, that camera will start attacking others by exploiting three known vulnerabilities:

  • Vulnerabilities in a custom http server provider:
    1. login.cgi – allows attackers to bypass authentication and get the admin password
    2. set_ftp.cgi – when the attacker knows the admin password, he can use this for command injections and malware deployment
  • CVE-2014-8361– this vulnerability allows remote attackers to execute arbitrary code via a crafted New Internal Client request.

Through these vulnerabilities, the attacker will be able to get users’ passwords, and can deploy command injections regardless of password strength.

Mirai

Before Persirai surfaced, news outlets and the cybersecurity industry were already talking about the DDoS capabilities of botnets thanks to the most infamous malware of the group: Mirai (identified by Trend Micro as ELF_MIRAI family). First seen in August 2016, Mirai made global headlines last year when it successful launched the largest DDOS attacks in history. The problem only worsened when the developers published Mirai’s source code in October 2016, letting anyone modify and create new variants. It is no surprise that the malware family is joining the fight and targeting IP cameras, even claiming some victims in Russia.

Recently, we’ve seen that Mirai is widening its distribution capabilities through a Windows Trojan that scans for more ports than previous versions. It checks if the following ports are open: 22 (SSH), 23 (Telnet), 135 (DCE/RPC), 445 (Active Directory), 1433 (MSSQL), 3306 (MySQL) and 3389 (RDP).

DvrHelper

A newer version of Mirai, DvrHelper (detected by Trend Micro as ELF_MIRAI.AU ) also learned from its predecessor. Since Mirai triggered such a response from companies and industries all over the world, DDoS prevention solutions have been surfacing. To match the increase in security, DvrHelper has eight more DDoS attack modules. It is also the first malware designed to bypass an anti-DDoS solution.

Specifically, DvrHelper has two methods that can bypass DDoS defense from one particular content delivery network that also provides DDoS prevention services.

The first method targets anti-bot techniques and takes advantage of the challenge-response policies of the provider:

Figure 2. This method bypasses the provider’s anti-bot

Figure 2. This method bypasses the provider’s anti-bot

The process is as follows:

1) Bot sends a request to target’s website and gets a challenge request in JavaScript.
2) Embedded JavaScript code is extracted and sent to the command and control (C&C) server. The C&C server will execute JavaScript code and respond with a result (answer).
3) The answer and other information are combined and a response request is sent to the DDoS protection provider to get a valid cookie and user-agent for the following DDOS attack

This method has been on the Python library since 2014. However, the embedded JavaScript code was executed on the client side since IoT devices were too weak to execute JavaScript code locally. In this case, the developers designed the architecture and executed remotely.

The second method uses a shared “Google reCAPTCHA response” token:

Figure 3. How it attempts to bypass the provider’s Google reCAPTCHA

Figure 3. How it attempts to bypass the provider’s Google reCAPTCHA

1) Bot sends a request to the C&C URL and gets a valid (shared) Google reCAPTCHA response token.
2) Bot sends a request with the token to the validator URL and gets a valid cookie, __cfduid (used by the provider to override any security restrictions based on the IP address the visitor is coming from) and cf_clearance (if this cookie is present in requests, further challenges are bypassed). With the information, the bot attempts to bypass DDOS protection.

Also, on comparing the latest version of DvrHelper’s C&C server we found that the early hardcoded C&C server (110[.]173[.]49[.]74) was replaced by the hostname jbeupq84v7[.]2y[.]net. VirusTotal only has a passive DNS record of this, and currently the A record for DNS is removed.

Figure 4. VirusTotal showing a passive DNS record for the domain

Figure 4. VirusTotal showing a passive DNS record for the domain

TheMoon

Finally, TheMoon (detected by Trend Micro as ELF_THEMOON.B) is the oldest malware targeting IoT devices. The family was first discovered by SANS ICS in 2014 and it continues to upgrade attack methods and target new vulnerabilities.

When we compared a newer version with an older variant, we noted that the C&C server port was changed. Also, in the later versions a specific binary focuses on a specific vulnerability, and there are new iptables rules.

Figure 4. VirusTotal showing a passive DNS record for the domain

Figure 5. New Iptables rules for The Moon malware

As the above figure shows, when the infection is done, iptables rules will be imported to the infected device. Through these rules, a wall is built by TheMoon to prevent other malware from infecting the device. The rules are different from each binary.

> .nttpd,17-arm-le-t1

INPUT -p tcp –dport 23 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

 

> .nttpd,17-mips-be-t2

INPUT -p tcp -m multiport –dport 80,8080,7547 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

 

> .nttpd,18-arm-le-t1

INPUT -p tcp –dport 23 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

 

> .nttpd,19-mips-le-t1

INPUT -p udp –dport 9999 -j DROP

INPUT -p tcp -m multiport –dport 80,8080 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

 

>.nttpd,port4444

INPUT -p tcp –dport 8080 -j DROP

INPUT -p tcp –dport 443 -j DROP

INPUT -p tcp –dport 80 -j DROP

INPUT -p tcp –dport 23 -j DROP

INPUT -p tcp –dport 22 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

 

>.nttpd,port4446

INPUT -p tcp –dport 8080 -j DROP

INPUT -p tcp –dport 443 -j DROP

INPUT -p tcp –dport 80 -j DROP

INPUT -p tcp –dport 23 -j DROP

INPUT -p tcp –dport 22 -j DROP

INPUT -s 46.148.18.0/24 -j ACCEPT

INPUT -s 185.56.30.0/24 -j ACCEPT

INPUT -s 217.79.182.0/24 -j ACCEPT

INPUT -s 85.114.135.0/24 -j ACCEPT

INPUT -s 95.213.143.0/24 -j ACCEPT

INPUT -s 185.53.8.0/24 -j ACCEPT

Figure 6. Target ports for TheMoon malware

Based on rules, we know its target ports include TCP/22 (SSH Remote Login Protocol), TCP/23 (Telnet), TCP/80 (HTTP), TCP/443 (HTTP over SSL/TLS), TCP/7547 (CPE WAN Management Protocol), TCP/8080 (alternative port for HTTP) and UDP/9999 (ASUS Router Infosrv). Each port is mapped to a specific device and vulnerability, with the main target being IP cameras.

When the infection is done, the installation script will be replaced with a string “ne kemi mbaruar!” which is “We’re done!” in Albanian.

The impact and distribution

Figure 6. Infection rate for IP cameras with custom http servers (US and Japan)

Figure 7. Infection rate for IP cameras with custom http servers (US and Japan)

Based on Shodan and our own research, we see that a little more than half of tracked IP cameras in the United States were infected by one of the four malware families discussed above. In Japan the number is even higher—64.85% of cameras are infected.

Figure 7. Distribution of infection of the four families (data for US, Japan, Taiwan, Korea only)

Figure 8. Distribution of infection of the four families (data for US, Japan, Taiwan, Korea only)

Looking at the data of infected devices from the United States, Japan, Taiwan and Korea, we see that Persirai is the clear frontrunner. However, the landscape is constantly changing and many vulnerable IP cameras are still exposed to the internet. With the success of these four families, other developers might be releasing their own IP camera-targeting malware and the results could be completely different very soon.

Recommendations and solutions

Many of these attacks are caused by a simple issue: the use of default passwords in the device interface. As soon as possible, IP camera users should change their passwords and follow best practices for creating a strong password—use at least 15 characters, with both uppercase and lowercase letters, numbers, and special characters.

But as proven by Persirai, a strong password is just the first step—it does not guarantee device security. IP camera owners should also disable Universal Plug and Play on their routers to prevent devices within the network from opening ports to the external Internet without any warning.

This issue of IP camera security is not just a concern for users. Vendors should also shoulder some of the responsibility and make sure their devices are secure and always updated. In line with this, users should take steps and always update their devices with the latest firmware to minimize the chance of vulnerability exploits.

In addition to the best practices mentioned above, users can look into solutions such as Trend Micro™ Security and Trend Micro Internet Security, which offer effective protection for threat’s to IoT devices using security features that can detect malware at the endpoint level. Connected devices are protected by security solutions such as Trend Micro Home Network Security, which can check internet traffic between the router and all connected devices. In addition, enterprises can monitor all ports and network protocols to detect advanced threats and protect from targeted attacks via Trend Micro™ Deep Discovery™ Inspector.

For more information about the IP camera models that are affected by these malware families, please see this link. And a list of Indicators of Compromise (IoCs) comprised of related hashes (SHA256) and malicious domains can be found in this appendix.

Post from: Trendlabs Security Intelligence Blog – by Trend Micro

The Reigning King of IP Camera Botnets and its Challengers

Read more: The Reigning King of IP Camera Botnets and its Challengers

Story added 8. June 2017, content source with full text you can find at link above.