Isn't telnet in most cases blocked by the firewall to the internet or is this malware spreading from the LAN itself?
In most cases, yes, it should be blocked, but clearly there are hundreds of thousands of cameras that do not have it blocked.
The malware should not be able to spread via LAN at all, in fact if you look at the Mirai source code, the part that assembles a random IP address to scan specifically excludes local IP's, and certain other networks:
Also, as for changing passwords, didn't Dahua have hard coded known usernames and passwords that couldn't be changed?
This seems to vary product. US OEM's, DahuaUSA official product, and overseas (and imported gray market cameras) all seem to have different behaviors here.
I spoke with an integrator who had used Dahua OEM product from ~2011 onward, and those had admin/admin hard-coded and seemingly unchangeable. Dahua USA "official" products have been recent, and so their firmware has telnet disabled by default. I have some Dahua graymarket Amazon cameras where the telnet admin password changes with the web UI admin password.
All of the above is what makes it very difficult for users to know if they are affected. Part of the problem lies in exactly which variant of a Dahua camera you have. Oddly enough people who bought through official channels (Dahua OEMs) may be at much higher risk than people who bought through rogue importers.