Recently Johannes Ullrich from SANS Technology Institute discovered some
strange traffic on a research host: a Hikvision DVR VCRs scanning for port
5000. Each infected device was searching for vulnerable devices in order to
send information to the host IP address 162.219.57.8.
To be exact, Hikvision DVRs were specially
designed to record video from surveillance cameras.
Ullrich has managed to find out who was responsible for the spyware. One
of them was a Bitcoin miner, D72BNr. Another one was mzkk8g, who appeared to be
an http agent.
“The malware resides in /dev/cmd.so . A number of additional suspect files where located in
the /dev directory which we still need to recover/analyze from the test system.
The
DVR was likely compromised via an exposed telnet port and a default root
password (12345)”, said Ullrich.
Earlier this year we reported that many Yahoo users in Europe had their computers infected in a massive
attack but the fact that VCRs could be used as an infection tool is quite
unexpected.
“Analysis of the malware is still ongoing, and
any help is appreciated” added
Ullrich.
Initial findings have shown:
- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000.