New Persirai IoT Botnet Emerges

10.5.2017 securityweek IoT
Around 120,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products are vulnerable to a newly discovered Internet of Things (IoT) botnet, Trend Micro warns.

Dubbed Persirai, the new botnet’s development comes on the heels of Mirai, the IoT malware that became highly popular in late 2016, after being involved in multiple high-profile distributed denial of service (DDoS) attacks. Similar to the recent Hajime botnet, Mirai mainly targets Digital Video Recorders (DVRs) and CCTV cameras.

According to Trend Micro, the newly discovered Persirai is targeting over 1,000 IP Camera models, with most users unaware that their devices are exposed to Internet-based attacks. As a result, the researchers argue, attackers can easily gain access to the devices’ web-based interfaces via TCP Port 81.

Because IP Cameras typically use the Universal Plug and Play (UPnP) protocol, which allows devices to open a port on the router and act like a server, they are highly visible targets for IoT malware. By accessing the vulnerable interface of these devices, an attacker can perform command injections to force the device to connect to a site, and download and execute malicious shell scripts.

After Persirai has been executed on the vulnerable device, the malware deletes itself and continues to run only in memory. Further, it blocks the zero-day exploit it uses to prevent other attackers from hitting the same IP Camera. Because the malicious code runs in the memory, however, a reboot renders the device vulnerable to the exploit once again.

Affected IP Cameras were observed reporting to several command and control (C&C) servers (load.gtpnet.ir, ntp.gtpnet.ir, 185.62.189[.]232, and 95.85.38[.]103). Upon receiving commands from the server, infected devices automatically start attacking other IP Cameras by exploiting a public zero-day vulnerability, which allows attackers to get the password file from the user and perform command injections.

The botnet can launch DDoS attacks via User Datagram Protocol (UDP) floods and can perform these attacks with SSDP packets without spoofing IP address.

The security researchers managed to link the botnet to C&C servers that were using the .IR country code, which is managed by an Iranian research institute and is restricted to Iranians only. Furthermore, the malware’s code contains some special Persian characters.

Persirai appears built on Mirai’s source code, which was made publicly available in October last year. The malware targets even devices with the latest firmware versions installed, and can’t be slowed by the use of strong passwords because it abuses a password-stealing vulnerability. Thus, IP Camera owners should implement other security steps to ensure their devices are protected.

“The burden of IoT security does not rest on the user alone—it’s also dependent on the vendors themselves, as they should be the ones responsible for making sure that their devices are secure and always updated. In line with this, users should make sure that their devices are always updated with the latest firmware to minimize the chance of vulnerability exploits,” Trend Micro notes.