Amnesia malware turns DVRs into botnet slaves

IT security researchers have uncovered a new strain of malware that targets digital video recorders (DVRs), turning them into botnet slaves.

According to a blog post from IT security company Palo Alto Networks, a new variant of the IoT/Linux botnet Tsunami, which it calls Amnesia, targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in DVR  devices manufactured by TVT Digital and branded by over 70 vendors worldwide.

This vulnerability affects approximately 227,000 devices around the world with Taiwan, the US, Israel, Turkey, and India being the most exposed.

Virtual machine evasion

Researchers believe that the malware is one of the first to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. If it detects a virtual machine, it will wipe the virtualized Linux system by deleting all the files in the file system.

Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems.

“A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall 2016,” write the researchers.

Read more: Security researchers find backdoor in Chinese IoT devices

Lack of response

Palo Alto Network’s researchers said that even though this vulnerability was originally disclosed way back in March 2016, they have been unable to find updates that fix it, despite their best efforts.

“While the Amnesia botnet hasn’t yet been used to mount large-scale attacks, the Mirai botnet attacks show the potential harm large-scale IoT-based botnets can cause,” said the researchers.

Palo Alto Networks said that, in case of Amnesia, because the malware relies on hard-coded C2 addresses, preventing another Mirai-type attack is possible if these addresses are blocked as broadly and as quickly as possible.

Cris Thomas, strategist at IT security company Tenable Network Security, told Internet of Business that ensuring security is built into these devices early on is critical, however, the challenge for device manufacturers is balancing speed, cost and quality.

“Both consumer and enterprise buyers want the best quality, and they want it now. To meet those demands, manufacturers must streamline the development process, and oftentimes, this includes reusing technologies, or not building security into the product in the first place. Consequently, defects are passed down from one generation to the next,” he said.

Read more: IoT sex toy data security fails to hit the spot

The post Amnesia malware turns DVRs into botnet slaves appeared first on Internet of Business.

Internet of Business

Amnesia is yet another IoT botnet – targets global DVRs

As expected, yet another IoT botnet has reared its ugly head. Discovered by Palo Alto Networks’ specialist Unit 42 security researchers, the new variant of the ‘Tsunami’ IoT/Linux botnet exploits an unpatched remote code execution vulnerability in DVR devices that was publicly disclosed over a year ago.

The affected DVRs are made by TVT Digital but branded and distributed by over 70 vendors around the world. Palo Alto Networks estimates the vulnerability affects approximately 227,000 devices around the globe, based on its scans. Consumers in Taiwan, the United States, Israel, Turkey, and India are the most exposed.

Unit 42 has named the variant ‘Amnesia’ and believes it’s the first Linux-based malware which adopts virtual machine evasion techniques to defeat malware analysis sandboxes. This is a technique which is typically used for Windows and Android malware to determine whether it’s running in a VirtualBox, VMware, or QEMU based virtual machine, and if it detects those environments, it wipes the virtualised Linux system by deleting all the files in file system.

Despite the vulnerability being disclosed a year ago, it appears to have been left unpatched according to Unit 42’s research. You can help protect against Amnesia by blocking domains used for its C&C (Command-and-Control) which include:

  • ukranianhorseriding[.]net


  • inversefierceapplied[.]pw

  • 93.174.95[.]38

A successful attack from Amnesia results in full control of the device and can be used by hackers to carry out DDoS (Distributed Denial of Service) attacks similar to the devastating Mirai botnet last year which disrupted DNS provider Dyn and took popular services including Github, Twitter, SaneBox, Reddit, AirBnB, and Heroku offline, and set a new record for the most traffic in a single attack.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge comments:

“Unfortunately, many manufacturers of IoT devices ignore even the very basic aspects of their devices’ security. Millions of devices cannot be updated if a security flaw is found, or do not allow the change of hardcoded passwords or insecure configurations, such as non-HTTPS access to admin panels. They are insecure and dangerous by design.

In the near future, we will certainly see some people using their technical skills to create IoT destroying worms just for fun, glory, or a joke. While we are talking about cheap and non-critical devices, it can be amusing, but what if a medical surgery equipment is damaged? Product liability claims may bring multi-million lawsuits against the negligent manufacturers, hospitals and doctors may also be held partially liable.

The IoT device market should be strictly regulated, precluding careless vendors from bringing their dangerous products to the market. Today it is mainly about joking. Tomorrow, it will be about people’s lives. Governments should act quickly adapting the law and regulations.”

What are your thoughts on the latest IoT botnet? Let us know in the comments. Latest from the homepage