Malware Infected Camera System...

Note that the article incorrectly states this as being a Sony system. Rather, it is a no-name system with a Sony imager.

http://www.zdnet.com/article/amazon-surveillance-cameras-infected-with-malware/


That bezel on the NVR is very similar to older Dahua models. Not sure if it made by a shared third party, or just made to resemble Dahua?

It's a slight exaggeration to say that the system is infected with malware, as no actual malware was found on the camera.

An iframe referencing a domain that is known for malware distribution is incorporated in the web client HTML.

You would still need to click it and download it, (assuming you didn't disable the typical browser security measures, e.g. cross-site scripting.)

U2, you don't necessarily need to "click" something to get a drive by download. They likely have a snippet of code in a script to execute said downloads, since they have the iframe browsing that domain.

Except that most browsers nowadays adhere to what's known as Same-Origin Policy:

In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. -Wikipedia

hence my initial qualification.

Notice also in the zd article the vague:

If the device's firmware links to this domain, malware can be downloaded and installed, potentially leading to unlawful surveillance and data theft.

Downloaded by whom? If it's automatic then why didn't they say "it then downloaded XYZ."

What browser is installed on a standalone DVR? This isn't a PC.

What standalone DVR comes with Developer tools?


When trying to get the cameras to work on my friends machine I simply logged into the admin webpage and went to configure it. Olsen

That would be an embedded web server that you are connecting to via a PC. That browser is not embedded in the DVR.

Jon, no offense but you seem confused:

This isn't a PC.

...that you are connecting to via a PC.

In short, the PC* is the target of the supposed malicious link, not the DVR. The DVR is supplying the HTML that could cause a PC to download a virus unto the PC.

My contention is only that:

The typical PC would typically have a browser that would enforce "same origin policy" preventing automatic execution.

*Or whatever client machine OS is being used for network access to the DVR.

No confusion here. Not sure why you're not understanding this. Maybe I'm being trolled, but I doubt it.

Here is a full breakdown:

1) The DVR has an embedded web server that has an iframe embedded in its main webpage.

2) When you use a browser on a PC to view this webpage, with the iframe that links to a malware infested site, it can download malware to the DVR.

3) The malware can be executed on the DVR by another script when detected after download. This could be a worm or just a mining malware that transfers data like passwords and other sensitive info on the DVR. Who knows? Potentially endless malware could be hosted there.

No, not being trolled.

2) When you use a browser on a PC to view this webpage, with the iframe that links to a malware infested site, it can download malware to the DVR.

Jon, the PC browser would download the malware to your PC, like it does with every other download, right?

Before anything else, make sure you are ok with that?

Could the PC malware then turn around and download the malware to the DVR?

Sure anything is possible. But there is no point! The DVR isn't the source of the malware and the target of the malware!

The target is the PC.

Think about it, if whomever originally put the malware HTML code on the DVR wanted the virus on the DVR, they would have put it on then, like they did with the HTML code.

What you are proposing is that they put malware in the HTML code to get downloaded to a PC to download back to the DVR!

Why couldn't the script write directly to the DVR? There isn't anything from stopping them from doing so. I get your point about why it would have an iframe embedded in the webpage instead of a script that calls out itself and my reason is simple. It would be easier to detect the DVR is "phoning out" to a malware site than if it was a PC making that call. Sure, you run a risk of the PC AV blocking it too, but if every single DVR was calling out directly to that site, it would be easier to determine the source of the exploit.

Jon, the DVR is a piece of hardware that comes from the store with (some) malicious code already on it, right?

Whomever put the malicious code there in the first place would have just put whatever code they wanted to then. No download needed.

Not if you wanted to obscure the source of the infected machine.

If it appears as a PC is calling out to the bad website, you suspect the PC is infected.

If the DVR just makes a bunch of random calls out, it's obviously the DVR.

If the DVR just makes a bunch of random calls out, it's obviously the DVR.

The DVR would have just come pre-infected with whatever virus they wanted. NO calls out.

The code on the DVR was ALREADY compromised by the hackers.

Before it left the factory.

I don't know what I can say that is plainer than that.