Virus Impacting Hikvision Products, Hikvision Responds

A Bitcoin miner of all things. If anybody wants to examine it, feel free to download the malware.

[UPDATE With Hikvision official response and tech details.]


Update: this researcher says he found the same malware running on a router as well.

Update two: it's mining Litecoin, not Bitcoin.

Update three: this is what happens when everyone goes to ISC without me and I have too much coffee.

I am unclear on the mechanics of Bitcoin/digital currency miners. What do they do? Aren't these voluntary downloads?

To summarize: the way new Bitcoins are introduced into the Bitcoin economy- that is, the way you "earn" new Bitcoins- is by running a program that computes past Bitcoin transactions. This allows Bitcoin to remain decentralized- you don't have to pay anyone to maintain ginormous servers because all required processing is distributed among a million devices all over the world, which means no one could possibly shut down Bitcoin entirely even if they wanted to. Every time you run a computation, you are paid a tiny of a Bitcoin. Not much, but it adds up over time. More here.

I can't imagine you would make much BTC on a single DVR, but thousands of DVRs running a botnet might make this worth it.

To summarize: the way new Bitcoins are introduced into the Bitcoin economy- that is, the way you "earn" new Bitcoins- is by running a program that computes past Bitcoin transactions.

If I may nitpick ever so slightly I would point out that one only earns "old" bitcoins when verifying past Bitcoin transactions. These are the equivalent of credit card processing fees and are paid by the transactors.

Brand spanking new bitcoins on the other hand are "mined" (implying they existed before anyone found them) by discovering numbers that meet a certain formula (hashcode). This computation involves factoring into primes of "ginormous" integers. Because of the non-existence of any efficient prime number generator (the best ones are little better than your 3rd grade teachers prompt of 'Now does 2 go into it evenly?, no, how about 3?'), the miner must test gazzillions of possibilities in order to find one valid one. Once found it simple for others to test if it meets the formula. To put an access control spin on it, if you had a card printer and were making up cards randomly to make a working key, you might be there a while. But when one worked, anyone with a reader could instantly verify it, and you would put the 'card/coin' in your pocket. The miner then registers the coin and essentially pockets it.

My guess would be that the virus is more likely to be the type that is not concerned with past transactions, but rather only interested in discovering new bitcoins. Why? Because its so sneaky (it makes network calls only when you find a coin) and not noisy like verifying transactions (think NASDAQ).

Rukmini's explanation is more technically accurate than mine but I'm used to dealing with end users and therefore have gotten into the habit of breaking my explanations into its most essential components, so that even if they are not 100% accurate, they can still allow a previously uninformed person insight into the fundamentals of the situation.

The next Bill Nye? :)

I could think of worse fates. I could get used to the bowtie.

Not sure if this is related to this incident but our spider just picked up a strange announcement from Hikvision:

"With the popularity of network video surveillance, more and more networking products are used in public networks, such as Network Video Recorders, Network Cameras, and Routers. But the public network environment is more vulnerable than internal network . You devices might be attacked by various viruses, like malicious network scanning if the devices are used in public networks without any modification of their default passwords .

We get to know some of our customers do not change the default passwords, which might cause heavy damages and losses.

Therefore, we hereby strongly recommend you to change the default passwords of the networking devices before using in public network."

It's weirdly vague and yet ominous.

I swear I heard non diagetic music in minor key playing as I heard that.

Where is Marty with an actual audio clip......

It seems like the whole issue is an exploit in the Synology NAS (or their Surveillance Station application)....

Can anyone hazzard a guess as to why Hik boxes are the only DVRs they've found scanning port 5000 for vulnerable Synology boxes? The malware appears to be able to reside in various networked devices.... why no other DVRs?

The compromisse[sic] of the DVR likely happened via an exposed telnet port and a default root password (12345).

Perhaps Hikvision's customized default password is to blame, though its just a matter of time before others are tried.

Update: Hikvision is requesting everyone using default passwords to change the password to hoochiemama ASAP.

Note: Hikvision contacted us and said that they will post an official response.

The Hikvision webpage our spider picked up as been removed and an earlier notice from Hikvision directly posted by a member was deleted, per their request.

For those of you concerned about security issues, the big threat right now is Heartbleed.

John- here is the official response:

Actions Taken Against Third Party Virus Causing Network Cameras Scanning Attacks

April 9th, 2014 – On November 26, 2013 Hikvision became aware of an alert regarding a continuous scanning attack that can potentially be launched by a limited number of our network cameras. Since then, we worked diligently to resolve the issue and address the users’ concerns. We investigated the IP address provided, as well as the devices involved, including network cameras and network DVRs. Upon thorough analysis, we determined that the reason for the scanning attack was a worm virus called Linux Darlloz.

Reasons

The investigation discovered that all the network cameras infected with the virus were connected to the public internet without changing the default user name and password. The virus attempted to discover the password according to the password dictionary until cracking it. Upon implanting the script file, the network camera becomes a source of virus to attack the other network devices. After restarting the network camera, the script file will be eliminated, however the risk of being attacked is still there if no fix is adopted. The risk of virus attack is caused by the connection of devices to the public network directly without changing the default user name and password.

Problem Process and Tracking

Our company took immediate and decisive action after Symantec has detected the virus on Nov. 26, 2013. Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus.

We took the following actions to enhance the security awareness of users to avoid the possibility of being attacked by such virus.

  1. Device on Public Network Security Notice was added to the bulletin board of our global website to notify users of the possible risks of using their devices on public network. We also asked the users to change the default password to avoid risks as the network attack and privacy leaking.
  2. Users can now download the firmware from our website to upgrade their devices to avoid the attack.
  3. Public network security awareness campaign targeting our partners and distributors was conducted through our partners and distributors. Distributor Monthly magazine, on-site communication, training, and other available communication channels.

With decades of experiences on the surveillance industry, Hikvision attaches great importance to network and information security. With the establishment of Hikvision Security Response Center, effective communications protocol and cooperation with National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT/CC), the China National Vulnerability Database (CNVD) and other industry recognized critical infrastructure platforms we were able to increase the investment into internet applications security. Hikvision is dedicated to continuously improving the security of our products and solutions, and is committed to complete security assurance for the users. We thank you for your continuous support.

Hangzhou Hikvision Digital Technology Co., Ltd.

April, 2014

Appendix 1: Introduction of the Hikvision Security Response Center

Organization

The Hikvision Security Response Center is a platform which is dedicated to take feedback, handle and disclose the security flaws of the Hikvision products and solutions. Hikvision pays great importance on its own security, and has taken the user security as its responsibility since the day it is found.

Principles

  1. Hikvision pays great importance on security of the products and business. We promise that any feedback on the security flaw will be heard, analyzed and processed in time.
  2. Hikvision supports any responsible disclosure and process of the security flaw. We promise that we will protect the users’ interests and we will reward and be grateful for those who help us to improve the security quality.
  3. Hikvision objects and condemns the hacking action which damages the user’s interests taking flaw test as its excuse, including but not limited to the stealing of the user privacy and virtual property, hacking the business system, and maliciously spread the security flaws.
  4. Hikvision believes that the handling and process of every security flaw and the improvement of the whole surveillance industry cannot be separated with the cooperation of each party. Hikvision hopes to promote the cooperation with other enterprises of the industry, the Security Company and investigators to maintain the information security of the industry.

Progress

The Hikvision Security Response Center is built, and the related Chinese and international webpage is created to take feedbacks, handle and disclose the security flaws of the Hikvision products and solutions.

Build connection with the dark cloud website, National Internet emergency coordination center, the National Information Security Flaw Share Platform.

Workflow

  1. Reporting Security Flaw

Please send email to HSRC@hikvision.com to report the security flaw.

  1. Reviewing Security Flaw

1) HIkvision Security Response Center of Hikvision will confirm and review the security flaw in one work day.

2) In three work day, the staff of Hikvision Security Response Center will handle the problem and get conclusion. If necessary, the staff may contact the reporter for assistance.

  1. Fixing Security Flaw

The time of fixing will be determined by the severity of the flaw and the difficulty of handling it. High risk flaw should be fixed in 24 hours, medium risk should be fixed within 3 work days, and low risk should be fixed in 7 work days. In case the security flaw is affected by the new version delivery, the fixing time will be determined according to real situation. Emergent security announcement will be published for severe security flaw.

Bob, thanks for the follow up. Can you elaborate on this section?

"Since December 2013, firmware of all the network cameras and DVRs has been updated, and all the inventory products have been upgraded to protect them from being attacked by Linux Darlloz worm virus."

Does that mean that people who have older Hikvision DVRs without the new firmware are still vulnerable to this virus (if they are using default passwords)? Also, if new firmware is needed to protect the units, where can that firmware be found / downloaded?

John- let me clarify further. Hikvision USA has its own version to the HQ baseline version. Since around October, the USA version has had an update which changes the telnet passcode when the Admin passcode is changed.

The only units which may be susceptible to this issue are if they are on a public IP with the default user name and passcode. we find this is not a typical scenario with a security professional exposing their unit to the public IP.

To date, in North America, out of the huge install base of DVRs and NVRs, we do not have any confirmed cases of this malware issue out of a small handful of issues we are investigating as potential cases.

We recommend a customer cocntact our technical support team if they suspect an issue. If necessary, we can then provide the firmware and a procedure to follow in the event of an actual issue.

Bob, thanks for this thorough and detailed response.

Does Hikvision have any plans to force users to change the default password on initialization, as discussed previously?

Ari- we are working on that plan now. Goal is to give a warning and a security message. I will advise when it is implemented.

Bob, which versions of the firmware are affected and which versions fix the problem?

FWIW, HikVision Camera firmware 5.1 has a date of 12/2/2013 (I upgraded my Hikvision Cameras to that Version in December)

Phil Schaadt

I was trying to avoid V5.1 because it's buggier than 5.0 and works poorly with Mac's where it only get 1 FPS with Webcomponents on LAN or WAN and Quicktime works better at full frame rate on LAN but is not accessible externally on the WAN. What's interesting is Hikvision has a test camera with external access that has 5.1 firmware but 4.0 of the video encoder, so that works fine with Mac but have not seen a way to install this as when you install 5.1, it also updates the video encoder to 5.0.

I run Milestone XProtect on a Windows box and all our PCs are Windows.

Phil Schaadt

Undislcosed B: Have you provided your "bug" feedback to our technial support team?

I do not have any reports that indicate that 5.1 camera firmware is "buggier" than a previosu version

Yes I have Bob. Spent an hour with them on the phone with access to the cameras on the project and they can replicate the issue. Also, the ability to write to an SMB/CIFS mount is an issue as we replaced Mobotix D15 with Hikvison USA cameras and want to keep that functionality Mobotix is known for but can't get that to work. Used to work in V5 with NFS. Also, I used to be able to use an URL command to capture an image, worked in 5.0.2 and prior, but not in 5.1.