Persirai Botnet Targets Internet-Connected Cameras

Researchers have uncovered a new botnet that takes over Internet-connected cameras in order to launch denial-of-service attacks, following in the footsteps of the notorious Mirai botnet.

The new malware, called Persirai, appears to be controlled by Iranian nationals, since the addresses of its command servers use the controlled .ir domain and special Persian characters were used in its code, according to Trend Micro.

120,000 vulnerable devices

Persirai targets more than 1,000 models of IP cameras and Trend found more than 120,000 vulnerable devices listed on the Shodan Internet of Things (IoT) search engine.

“Many of these vulnerable users are unaware that their IP Cameras are exposed to the internet,” Trend said in an advisory. “This makes it significantly easier for the perpetrators behind the malware to gain access to the IP Camera web interface via TCP Port 81.”

The IP cameras use a connection standard called Universal Plug and Play (UPnP), which allows them to open a port on the network’s router and connect to the external Internet as a server without any action on the user’s part, making them vulnerable to malware.

Persirai attacks cameras using a security bug made public several months ago, and installs code that causes the device to automatically begin attacking other cameras using the same vulnerability.

While running the malware code blocks other attacks that make use of the same bug. Since it runs in memory only, the malware is disabled when the device is rebooted – but the device then also becomes vulnerable to attacks once again.

Infected cameras receive commands from the attacker’s servers that can direct distributed denial-of-service (DDoS) attacks against other systems, Trend said.

The company said the manufacturer of the device it tested said it had released a firmware update fixing the vulnerability used by Persirai, but Trend wasn’t able to find a more recent firmware version.

Botnet disruption

The security firm advised users to change the default passwords on their Internet-connected devices, if they haven’t already done so.

“Users should also disable UPnP on their routers to prevent devices within the network from opening ports to the external Internet without any warning,” Trend advised.

DDoS attacks by Mirai and other IoT botnets prompted a similar warning from the US Department of Homeland Security (DHS) in October of last year.

In March, researchers said a Mirai variant had been used to carry out a 54-hour-long attack on a US college, and in April IBM uncovered another variant that used devices’ processing power to mine Bitcoins.

Mirai uses open source code that has been released to the public, making it simpler for attackers to create their own customised versions.

Last month the developer of BrickerBot, which aims to render vulnerable gadgets inoperable so that they can’t be used by botnets, said the tool had disabled two million devices to date.

Do you know all about security in 2017? Try our quiz!