Trend Micro discovers Persirai, a new Internet of Things botnet that targets IP cameras


A new Internet of Things (IoT) botnet called Persirai has been detected by security firm Trend Micro as ELF_PERSIRAI.A, and it has been discovered targeting over 1,000 Internet Protocol (IP) camera models based on various Original Equipment Manufacturer (OEM) products. This development comes on the heels of Mirai—an open-source backdoor malware that caused some of the most notable incidents of 2016 via Distributed Denial-of-Service (DDoS) attacks that compromised IoT devices such as Digital Video Recorders (DVRs) and CCTV cameras—as well as the Hajime botnet.

The firm further detected approximately 120,000 IP cameras that are vulnerable to ELF_PERSIRAI.A via Shodan. Many of these vulnerable users are unaware that their IP xameras are exposed to the internet.

IP cameras use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware. After logging into the vulnerable interface, the attacker can perform a command injection to force the IP camera to connect to a download site, which will respond with certain commands that will download and execute malicious shell script from the domain ntp.gtpnet.ir. 

After the samples are downloaded and executed, the malware deletes itself and will only run in memory.  It will also block the zero-day exploit by pointing ftpupdate.sh and ftpupload.sh to /dev/null to prevent other attackers from targeting the victim’s IP Camera. However, once the camera is rebooted, it will again be vulnerable to the exploit.

After receiving commands from the server, the IP Camera will then start automatically attacking other IP Cameras by exploiting a zero-day vulnerability that was made public a few months ago. Attackers exploiting this vulnerability will be able to get the password file from the user, providing them the means to do command injections regardless of password strength.

The IP Camera will then receive a command from the C&C server, instructing it to perform a DDoS attack on other computers via User Datagram Protocol (UDP) floods. Notably, Persirai can perform User Datagram Protocol (UDP) DDoS attack with SSDP packets without spoofing IP address. C&C servers discovered by Trend Micro were found to be using the .IR country code. This specific country code is managed by an Iranian research institute which restricts it to Iranians only. “We also found some special Persian characters which the malware author used,” wrote a Trend Micro executive in a company blog post.

Aside from being the first malware that brought IoT security into the limelight, we also noted how Mirai’s open-source nature gave it the potential to act as the core template upon which future IoT-centric malware will be built upon.

 As the Internet of Things gains traction with ordinary users, cybercriminals may choose to move away from Network Time Protocol (NTP) and Domain Name System (DNS) servers for DDoS attacks, instead concentrating on vulnerable devices—an issue compounded by users that practice lax security measures.

A large number of these attacks were caused by the use of the default password in the device interface. Thus, users should change their default password as soon as possible and use a strong password for their devices.

However, as seen in the presence of the password-stealing vulnerability mentioned above, a strong password alone does not guarantee device security.

IP camera owners should also implement other steps to ensure that their devices are protected from external attacks. In addition to using a strong password, users should also disable UPnP on their routers to prevent devices within the network from opening ports to the external Internet without any warning.

The burden of IoT security does not rest on the user alone—it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits.

Another security firm, Kaspersky Lab published last month results of its investigation into the activity of Hajime, an Internet of Things (IoT) malware that is building an enormous peer-to-peer botnet. Although the end goal remains unknown, the botnet has been propagating extensively, currently including almost 300,000 malware-compromised devices that can be used at the malware author’s disposal, without the victim’s knowledge.

As an advanced and stealthy family, it uses different techniques – mainly brute-force attacks on device passwords – to infect devices, and then takes a number of steps to conceal itself from the compromised victim. Hajime is continuously evolving, adding and removing features over time.

With the addition of the new attack vector, it would make sense to improve the architecture detection logic. This is because Hajime doesn’t attack any specific type of device, but rather any device on the Internet with the exception of several networks. This is exactly what they did, though strangely enough this only holds for the Telnet attack.

Leave a Reply

IoT Innovator

IoT Innovator