Recently Johannes Ullrich from SANS Technology Institute discovered some strange traffic on a research host: a Hikvision DVR VCRs scanning for port 5000. Each infected device was searching for vulnerable devices in order to send information to the host IP address 126.96.36.199.
To be exact, Hikvision DVRs were specially designed to record video from surveillance cameras.
Ullrich has managed to find out who was responsible for the spyware. One of them was a Bitcoin miner, D72BNr. Another one was mzkk8g, who appeared to be an http agent.
“The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover/analyze from the test system. The DVR was likely compromised via an exposed telnet port and a default root password (12345)”, said Ullrich.
Earlier this year we reported that many Yahoo users in Europe had their computers infected in a massive attack but the fact that VCRs could be used as an infection tool is quite unexpected.
“Analysis of the malware is still ongoing, and any help is appreciated” added Ullrich.
Initial findings have shown:
- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000.
You can download the malware here (password: infected).