Recently Johannes Ullrich from SANS Technology Institute discovered somestrange traffic on a research host: a Hikvision DVR VCRs scanning for port5000. Each infected device was searching for vulnerable devices in order tosend information to the host IP address 162.219.57.8.
To be exact, Hikvision DVRs were speciallydesigned to record video from surveillance cameras.
Ullrich has managed to find out who was responsible for the spyware. Oneof them was a Bitcoin miner, D72BNr. Another one was mzkk8g, who appeared to bean http agent.
“The malware resides in /dev/cmd.so . A number of additional suspect files where located inthe /dev directory which we still need to recover/analyze from the test system.TheDVR was likely compromised via an exposed telnet port and a default rootpassword (12345)”, said Ullrich.
Earlier this year we reported that many Yahoo users in Europe had their computers infected in a massiveattack but the fact that VCRs could be used as an infection tool is quiteunexpected.
“Analysis of the malware is still ongoing, andany help is appreciated” addedUllrich.
Initial findings have shown:
- The malware is an ARM binary, indicating thatit is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposedon port 5000.