Security Experts:

Thousands of IP Cameras Hijacked by Persirai, Other IoT Botnets

Thousands of IP cameras have been hijacked by Internet of Things (IoT) botnets and data from Trend Micro shows that the recently launched Persirai malware is responsible for a large percentage of infections.

The Persirai backdoor is designed to target more than 1,000 IP camera models, and researchers said there had been roughly 120,000 devices vulnerable to this malware at the time of its discovery several weeks ago.

The malware, which uses a recently disclosed zero-day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.

Trend Micro has determined that of a total of 4,400 IP cameras it tracks in the United States, just over half have been infected with malware. The percentage of infected cameras spotted by the security firm in Japan is nearly 65 percent.

According to the company, more than 64 percent of the total number of 3,675 compromised devices located in the United States, Japan, Taiwan and South Korea have been infected with Persirai.

However, Persirai is not the only IoT malware targeting IP cameras. Trend Micro says there are three other malware families: Mirai, DvrHelper and TheMoon.

Mirai made a lot of headlines recently due to the significant number of devices it infected all around the world. Data from Trend Micro shows that of the hijacked devices it is monitoring in the U.S., Japan, Taiwan and Korea, Mirai accounts for more than a quarter of infections.

DvrHelper is based on Mirai, but its authors have implemented some interesting features, including additional DDoS modules and a mechanism for bypassing anti-bot solutions, including JavaScript-based challenges and Google’s reCAPTCHA system.

Another threat targeting IP cameras is TheMoon. This is actually the oldest IoT malware, but its authors have continued to improve it.

DvrHelper and TheMoon account for 6.8 percent and 1.4 percent of the infections seen by Trend Micro in the U.S. and the aforementioned East Asian countries.

Researchers pointed out that since the number of potential victims for these malware families is limited, some of them are designed to “lock the door” behind them after they infect a device.

For example, Persirai attempts to patch the zero-day vulnerability it exploits to prevent other malware from infecting the device. However, since the malware resides only in memory and the changes it makes are not persistent, the threat will be removed and the camera will become vulnerable once again after it’s restarted.

TheMoon also tries to keep other malware out. It does this by importing specific iptables firewall rules to the device.

Related: IoT Botnets Fuel DDoS Attacks Growth

Related: IoT Botnet "Amnesia" Hijacks DVRs via Unpatched Flaw

Related: Mysterious Hajime Botnet Grows to 300,000 IoT Devices

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.