June 12, 2017
Adeel Khan (17 articles)


The Persirai backdoor allows more than 1000 IP camera models to be easily exploited and more than 120,000 devices are vulnerable to this backdoor. The backdoor was first discovered in the late 2016 after being involved in multiple high-profile DDOS attacks.

IP cameras typically use the Universal Plug and Play (UPnP) protocol allowing devices to open a port on the router and act as a server thus making them a highly visible target for IoT malware. The attacker can perform multiple command injections allowing the device to connect to a site and download and execute malicious shell scripts.

After the backdoor is executed, it tends to delete itself and run only in the memory. And it also makes sure that it blocks the zero-day exploit thus preventing other attackers to get control over the same device.

Trend Micro has determined that more than 64 percent of the total number of 3,675 compromised devices are in United States, Japan, Taiwan and South Korea. The company also confirms that more than three other malware’s are affecting the IP cameras such as Mirai, DrvHelper and TheMoon.

Mirai is responsible for hijacking devices all over the world and most of these devices are situated in United States, Japan, Taiwan and South Korea and is also responsible for more than a quarter of infections. The source code of Mirai is also made available publicly. The malware can also attack devices that have the latest firmware versions and abuses password-stealing vulnerability thus cannot be slowed down by password protected devices.

DvrHelper, on the other hand, is the advanced version of Mirai although it’s based on it. The attackers have configured the malware with some fascinating features such as additional DDOS modules and a mechanism for bypassing anti-bot solutions, including JavaScript-based challenges and Googles reCAPTCHA system.

DvrHelper and TheMoon are responsible for 6.8 percent and 1.4 percent infections in the U.S and East Asian countries.

The malware resides in the memory and since the changes are not persistent thus the malware can be removed after the device restarts but can be attacked again.

Sources: http://www.securityweek.com/thousands-ip-cameras-hijacked-persirai-other-iot-botnets