IoT Malware Threat Presents New Destructive Behavior In DVRs


IoT Malware


  Security researchers have identified a threat which has recently evolved to a point where it can be destructive in nature and formed a Botnet. This threat differs from many in that it does not target Microsoft Windows systems, rather it infects Linux based systems which many IoT devices such as CCTV DVRs utilize. Palo Alto Networks has discovered this newest malware quite recently however this IoT malware threat exploits a vulnerability which was originally discovered a year ago. Clearly much of the problem lies in the fact that this remote code execution vulnerability has not been patched by either the manufacturer or any of the some 70 vendors known to brand these DVRs to date. Given that this IoT malware threat (named Amnesia by Palo Alto Networks) has the ability to detect if it is running in a Virtual Linux system and wipe critical files within it is clear that this IoT Malware threat presents new destructive behavior in DVRs.



  Palo Alto Networks is not the only research entity pursuing threats like Amnesia and they in fact link to a report by Rotem Kerner who has been doing security vulnerability research for many years. It is this researcher who initially identified and exposed the remote code execution vulnerability in March 2016 including the fact that these DVRs were manufactured by a company in China named TVT. Kerner was also able to discern that there were 70 rebranded versions of these DVRs which all share the same vulnerability. Palo Alto has further discovered that there are some 227,000 devices in total which are affected. That is a disturbing number especially considering that the primary target of this malware is retailers who use CCTV and DVRs to store recorded security video. That's the plan - get into that DVR and destroy the evidence, hence criminal activity reborn.


  Certain parts of this remote code execution vulnerability have been around for some time but combining the ability to detect and infiltrate Linux virtual machines as well as wiping their contents makes this new malware disturbing on many levels. TVT has evidently not taken any steps to patch this vulnerability and vendors who rebrand these IoT devices are not likely to do so either. This leaves mitigating the threat to the individual end users who likely range from large corporations to rather small corner stores and save hiring some coding expertise the only real way to deal with it is to block unknown IP addresses from access to the DVR system in question. Please do see the links below to read more about Palo Alto's report from last month and Rotem Kerner's report including the 70 rebranding vendors from March 2016.



Palo Alto Amnesia Report


Rotem Kerner's TVT Report