- The malware is an ARM binary, indicating thatit is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposedon port 5000.
APR 05, 2014
Crazy Miners and Wild VCRs
In order to start Bitcoin mining, people must first scale up their hardware and computing power. But have you ever thought about some of the lengths some people go to increase their Bitcoin mining capcity?
48 Total views
0 Total shares
In order to start Bitcoin mining, people must first scale up theirhardware and computing power. But haveyou ever thought about some of the lengths some people go to increase theirBitcoin mining capcity? Apparently, some miners have taken an unusual approachto resolve this problem.
Recently Johannes Ullrich from SANS Technology Institute discovered somestrange traffic on a research host: a Hikvision DVR VCRs scanning for port5000. Each infected device was searching for vulnerable devices in order tosend information to the host IP address 184.108.40.206.
To be exact, Hikvision DVRs were speciallydesigned to record video from surveillance cameras.
Ullrich has managed to find out who was responsible for the spyware. Oneof them was a Bitcoin miner, D72BNr. Another one was mzkk8g, who appeared to bean http agent.
“The malware resides in /dev/cmd.so . A number of additional suspect files where located inthe /dev directory which we still need to recover/analyze from the test system.TheDVR was likely compromised via an exposed telnet port and a default rootpassword (12345)”, said Ullrich.
Earlier this year we reported that many Yahoo users in Europe had their computers infected in a massiveattack but the fact that VCRs could be used as an infection tool is quiteunexpected.
“Analysis of the malware is still ongoing, andany help is appreciated” addedUllrich.
Initial findings have shown:
You can download the malware here (password: infected).