Subscriber Discussion

Can Recorder Browser Plugins Get A Virus?

JH
Jay Hobdy
Jan 18, 2017
IPVMU Certified

 I was logging into some nvr/dvr for a client with multiple devices at various locations. I was using the http port/browser method. Several devices prompted me to download a plug in, which is normal for Dahua products.

But one device kept triggering my anti virus as a trojan horse.

 

We didnt set these up but we know they are very vulnerable. Is it possible it's infected and it has attached to the plug in?

 

 

Avatar
Josh Hendricks
Jan 18, 2017
Milestone Systems

If the device had been previously compromised, the attacker could easily have modified which file was pushed as a "plugin" which is a smart way to spread to the rest of the network.

If you can safely download the plugin WITHOUT executing it, you could do a comparison of the file against a "trusted" plugin installer. Best not to check using size or date modified as these can be spoofed. But using a file hashing tool, you could compare the "thumbprint" of the files. If they match, then it's probably a false alarm. Unless they're ALL infected ;)

(1)
Avatar
Jared Tarter
Jan 18, 2017
Milestone Systems

To tag onto this, if you can download the plugin you can use Virus Total to check it against over 50 different anti-virus web scanners.  It could just be a false positive with your anti-virus but this would be a good way to tell.

UM
Undisclosed Manufacturer #1
Jan 18, 2017

DVR plugin got infected. It's happen before.
Plugin is a executable file in IE. Even a Gif can be a virus too. (In some ways)
But it should be a lot of users using Dahua.
I don't think it really happen.
What's your antivirus ? Don't tell me it's 360 "anti-virus"

BTW, Why use IE ?? If you really need IE. Use a sandbox on it. Don't just click on IE.
Sandboxie : It's free and no virus/rootkit/trojan/Hijack forever.

(1)
U
Undisclosed #2
Jan 18, 2017
IPVMU Certified

Similar issue (with Hikvision)

JH
Jay Hobdy
Jan 18, 2017
IPVMU Certified

I use IE or Firefox because Dahua plugins dont work in Chrome.

I use a paid version of AVG

There is something wrong with the file. I already have a plug in but it may be from a different Dahua device so not sure if the plug ins would be different from an NVR to a DVR. The original plug in was 1.02MB and when you go to properties>details it gives a version #, language, etc. The suspect file is just blank in the details section and is only 1.00 MB

 

I tried to upload the file to VirusTotal as suggested but it would not upload and wanted me to open it as Admin. I right clicked and shredded it with my anti-virus. I do NOT have the time to deal with a virus.

(1)
UM
Undisclosed Manufacturer #1
Jan 19, 2017

Don't worry too much. AVG is one of full of false alarm antivirus in the world.
AVG protect you PC well. But he got too nervous.

If you really worry and need to install this activeX. Try sandbox.
Even it is a virus. You can always delete the infected section.
And the best part is you can run the infected IE and normal IE in the same time.
You can think sandbox is like application layer of VM without any hardware requirement.

Avatar
Oleksiy Zayonchkovskyy
Jan 19, 2017
IPVMU Certified

As for the virus...

In addition to Joshua's answer I would add that potential virus can be activated even without executing the file. It can be Trojan with worm inside. Potential viruses must be downloaded to ISOLATED from network host machine and then scanned in addition to leaving it for a least a whole day with proactive antivirus defense online to gather heuristics (behavior) of a potential virus. If nothing strange occurred during quarantine period then it can be executed again only on ISOLATED host with proactive defense.

And if in a day everything is o.k. then consider it false positive and proceed to production.  

(1)
WK
William K Dietrich Jr
Jan 19, 2017
IPVMU Certified

I second the opinion of downloading the file *without opening it* and comparing it to a known, healthy plugin.  This is why it's important to divert from the default passwords on the cameras, and make sure that a secure password is used for authentication to the cameras.  In Windows, I would look at the properties of the file and it will say something like "Size: 20.5 KB (21,011 bytes)."  Compare the byte size, and if they differ, I would assume that the camera has been compromised.

I disagree that opening the file on a segregated system or "sandbox" would help solve anything.  This is  because lots of viruses do not give you any indication that there is an infection.  They can lie dormant on the system and give you a false sense that the file is safe.

As mentioned above, using VirusTotal.com is a great way to scan a file using multiple AV products.  It's a wonderful tool, and you should try it regardless, to keep it under your belt as a tool.

It is easy for hackers to setup a brute force tool to try several passwords a minute.  I know a lot of those cameras do not have a lockout, ie if after X failed login attempts, lock out login attempts for X amount of minutes.  Because many cameras do not have this feature, it's a good target for brute force/dictionary style attacks.

Avatar
Oleksiy Zayonchkovskyy
Jan 19, 2017
IPVMU Certified

"I disagree that opening the file on a segregated system or "sandbox" would help solve anything.  This is  because lots of viruses do not give you any indication that there is an infection.  They can lie dormant on the system and give you a false sense that the file is safe."

Considering this we could assume that most of our systems are compromised and just waiting the right time )).

The most convenient way is to send the file to antivirus vendor to inspect it further and to make a clear decision. I've done so several times and sending to Kaspersky and other labs and they typically answered in few days.

Thanks for the site, but if the threat is new or suspended as you stated then signature may be not created at the moment (I had an encryptor passed 3 cores of antivirus defense with fully updated signatures and so on). The main question is what will be done or even what have been done already by the virus, thus vendor after some investigation can give some assurance.

In God we trust, the rest we Test.

JH
Jay Hobdy
Jan 19, 2017
IPVMU Certified

I did that, the files are different sizes.

 

The details tab lacks any details such as version # etc, when compared to a known good plugin

 

I also can not upload to VirusTotal without opening it as admin.

 

If it quacks like a duck, walks like a duck....

 

I do not have the time to deal with it. I am not touching it, and we will advise customer that device is probably infected. Regardless it should be secured properly instead of sitting there with ports wide open and admin admin log in....  

 

Removing the virus should require a simple firmware upgrade? 

Avatar
Josh Hendricks
Jan 19, 2017
Milestone Systems

False positives are common, so we don't know that it is a virus yet. I understand not having the time to find out, so if you wish to proceed under the assumption the camera is infected, you cannot trust that a simple firmware upgrade/re-install will remove it.

Some other IPVM members have already demonstrated the ability to hack the software on the camera and change factory reset behavior for example. If that can be done, they can also ensure that normal firmware upgrades either do not overwrite the infectious software or can persist itself after the firmware upgrade in some way.

I'm not one to jump to conclusions, but when I've confirmed something is infected, I take the "kill it with fire" approach... If I was positive the camera was infected I would try to get a replacement from the manufacturer as there may not be an easy way to be 100% sure that you've remove it.

If you do a firmware upgrade and the plugin no longer triggers your antivirus, one might reasonably assume the infection, if real, was not sophisticated enough to persist through a firmware upgrade. It's up to you how much that sets your mind at ease.

UM
Undisclosed Manufacturer #1
Jan 20, 2017

What happens in sandbox, stay in sandbox.
It cannot touch your system.

It just like no any virus can touch outside the VM......

Copy from WiKi

In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested or untrusted programs or code, possibly from unverified or untrusted third parties, suppliers, users or websites, without risking harm to the host machine or operating system.[1] A sandbox typically provides a tightly controlled set of resources for guest programs to run in, such as scratch space on disk and memory. Network access, the ability to inspect the host system or read from input devices are usually disallowed or heavily restricted.

In the sense of providing a highly controlled environment, sandboxes may be seen as a specific example of virtualization. Sandboxing is frequently used to test unverified programs that may contain a virus or other malicious code, without allowing the software to harm the host device.[2]

JH
John Honovich
Jan 19, 2017
IPVM

Related to all, more than a year ago, Google disabled NPAPI, breaking many video surveillance browser clients in Chrome. Most do not still have a fix, yes?

(1)
New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions