In order to start Bitcoin mining, people must first scale up their
hardware and computing power. But have
you ever thought about some of the lengths some people go to increase their
Bitcoin mining capcity? Apparently, some miners have taken an unusual approach
to resolve this problem.
Recently Johannes Ullrich from SANS Technology Institute discovered some
strange traffic on a research host: a Hikvision DVR VCRs scanning for port
5000. Each infected device was searching for vulnerable devices in order to
send information to the host IP address 220.127.116.11.
To be exact, Hikvision DVRs were specially
designed to record video from surveillance cameras.
Ullrich has managed to find out who was responsible for the spyware. One
of them was a Bitcoin miner, D72BNr. Another one was mzkk8g, who appeared to be
an http agent.
“The malware resides in /dev/cmd.so . A number of additional suspect files where located in
the /dev directory which we still need to recover/analyze from the test system.
DVR was likely compromised via an exposed telnet port and a default root
password (12345)”, said Ullrich.
“Analysis of the malware is still ongoing, and
any help is appreciated” added
Initial findings have shown:
- The malware is an ARM binary, indicating that
it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed
on port 5000.
You can download the malware here (password: infected).