Subscriber Discussion

Persirai Trend Micro Camera Botnet Discovered

MM
Michael Miller
May 10, 2017
UI
Undisclosed Integrator #1
May 10, 2017

Is there any info as to what devices/models are affected?

MM
Michael Miller
May 10, 2017

A new Internet of Things (IoT) botnet called Persirai (Detected by Trend Micro as ELF_PERSIRAI.A) has been discovered targeting over 1,000 Internet Protocol (IP) Camera models based on various Original Equipment Manufacturer (OEM) products

After receiving commands from the server, the IP Camera will then start automatically attacking other IP Cameras by exploiting a zero-day vulnerability that was made public a few months ago.

 

UE
Undisclosed End User #2
May 10, 2017
U
Undisclosed #3
May 10, 2017
UD
Undisclosed Distributor #4
May 11, 2017

Why is this not the TOP story/most commented on post???  We all watched as Hik/Dahua have done nothing since their last security debacles and now here we go again.  They've adopted the working strategy of "just wait, something else will come along soon and distract everyone away from this story to the next one" and sure enough, it works like a charm.  Just toss a few sales in their and lower prices some more and people won't care.

This industry continues to amaze me, my background is in networking and programming where issues like this are like an atom bomb going off in the garage, but in the security industry it's just "eh, oh well let's just ignore it, drop prices and blame it on the manufacturer" but business continues as usual.  I guess when all of the "consumer priced" cameras are manufactured in a country where they are immune to any repercussions and have successfully decimated any foreign competition that they can do whatever they want.

So, that being said, I wonder what the next target will be for this botnet and will it be a large/debilitating enough attack to actually initiate some action.

 

(1)
Avatar
Brian Karas
May 11, 2017
IPVM

Why is this not the TOP story/most commented on post??? 

 

Because these cameras have little to no usage in the professional security market. This is more of consumer-oriented camera, and not many IPVM members use or install these products.

UD
Undisclosed Distributor #4
May 11, 2017

This is assuming that the reporting of these cameras are only from this one manufacturer, correct?  Reading the story on Slashdot reports that "Persirai borrows some computer code from a notorious malware known as Mirai" which we all recognize as an old friend affecting thousands upon thousands of not-so consumer-oriented cameras, NVRs and DVRs from at least one of the two largest manufacturers in the world.

Ah well, no matter, maybe we can get another $2 off of our favorite cameras after the next attack.

Avatar
Brian Karas
May 11, 2017
IPVM

This is assuming that the reporting of these cameras are only from this one manufacturer, correct?

I would not assume it is only a single manufacturer. Many of the low-cost/high-volume Chinese cameras seems to share a lot of parts and code in common across manufacturers. And of course the actual root manufacturers are hard to determine in many cases.

The elements that Persirai borrows from Mirai do not seem to be related to the core vulnerability attack vector. Persirai targets vulnerabilities in the "goahead" webserver, Mirai looked for open telnet ports. Goahead is not common in commercial security products (though there may be some that use it).

What they share in common has more to do with the part that comes after the vulnerability mechanism, but that does not mean devices that were vulnerable to Mirai are vulnerable to this.

 

Avatar
Ethan Ace
May 11, 2017

I think this section of the affected products is the scariest, because there are thousands upon thousands of these in the wild, vast majority by unsophisticated users, I'm sure:

Foscam FI18904w
Foscam FI18905E
Foscam FI18905W
Foscam FI18906w
Foscam FI1890W
Foscam FI18910E
Foscam FI18910W
Foscam FI18910w
Foscam FI18916W
Foscam FI18918W
Foscam FI18919W
Foscam FI19810W
Foscam FI8094W
Foscam FI81904W
Foscam FI8601W
Foscam FI8602W
Foscam FI8606W
Foscam FI8610w
Foscam FI8903W
Foscam FI8903W_Elita
Foscam FI8904
Foscam FI8904W
Foscam FI8905E
Foscam FI8905W
Foscam FI8905w
Foscam FI8906w
Foscam FI8907W
Foscam FI8908W
Foscam FI8909W
Foscam FI890W
Foscam FI8910
Foscam FI8910E
Foscam FI8910W
Foscam FI8910W_DW
Foscam FI8910w
Foscam FI8916W
Foscam FI8918
Foscam FI89180w
Foscam FI8918E
Foscam FI8918W
Foscam FI8918w
Foscam FI8919W
Foscam FI9804W
Foscam FI9805E
Foscam FI9810
Foscam FI9810W
Foscam FI9818
Foscam FI9820w
Foscam FI9821W
Foscam FI9821w
Foscam FL8910
Foscam FS18908W
Foscam FS8910
Foscam Fi8910
Foscam Other
Foscam fI8989w
Foscam fi1890w
Foscam fl8910w

(2)
UM
Undisclosed Manufacturer #5
May 11, 2017

A few standouts in the camera list....

Panasonic BL-C131A

D-Link DCS-910

    D-Link DCS-930L

    D-Link L-series

    Swann 005FTCD

    Swann 440

    Swann 440-IPC

    Swann ADS-440

    Swann ADS-440-PTZ

    Swann ADS-CAMAX1

    Swann Other

    Swann SWADS-440-IPC

    Swann SWADS-440IPC-AU


Beyond that, I think my favorite manufacturer name on the list is "Sumpple".

 

(1)
EP
Eddie Perry
May 11, 2017

Is this a joke most of the cameras on this list around 10 years old.

I know cyber security is important but how many consumer models are still running after 10 years?

there is about a handful of models on this list that are less than 5 years old.

on personal note I do like the "ChinaVision" name

New discussion

Ask questions and get answers to your physical security questions from IPVM team members and fellow subscribers.

Newest discussions