back to article 'Amnesia' IoT botnet feasts on year-old unpatched vulnerability

Hackers have brewed up a new variant of the IoT/Linux botnet "Tsunami" that exploits a year-old but as yet unresolved vulnerability. The Amnesia botnet targets an unpatched remote code execution vulnerability publicly disclosed more than a year ago in DVR (digital video recorder) devices made by TVT Digital and branded by over …

  1. BebopWeBop

    an answers

    You'll be lucky.... But full marks for at least trying

  2. Anonymous Coward
    Anonymous Coward

    Linux botnet?

    I'm always being told how bulletproof Linux is and how "only Windoze lusers" have security problems.

    I am confuse.

    1. DCFusor

      Re: Linux botnet?

      Linux *can* be made very secure, and most mainline desktop distros do a decent job of that.

      Now, when you talk about stripped down versions made to fit in dirt-cheap hardware, that leave out various things to save money (space), and add various debug hooks, to save programmer time...we have a different situation.

      If you think of linux as just the kernel...well, the kernel, assuming (wrongly) that they're using a newer one, is fairly decent. If you're talking about the entire environment (which some would call GNU/Linux) it' a matter of implementation and setup. These manufacturers are trying to make it easy for themselves, and sometimes, the user, by skipping all that bothersome real security.

      For whatever reason, the various debug hooks are often left in the product, whether it be they are just forgotten, laziness, the idea that the manuf could support the product better (yes, I'm laughing too), and most of the things we see as issues are due to those. Maybe the developer found them hard to configure in the first place and left them in for later...again, to save time/money in the short term (which is all most of them consider - because that's all they are paid for).

      Any operating system that allows developers to write applications can be brought to its knees this way, if the app or configuration can say "let someone in to do things". Good security is hard, and the average developer hasn't a clue how to balance that with ease of use - or even have it at all.

      Windows is unlikely to be used (or other opsys) as being closed source and full fat, it's hard to make anything small work with them at all, not to mention the other costs. So if you can find a windows IoT thing, it's probably safe!

    2. Paul Crawford Silver badge

      Re: Linux botnet?

      Its simple really, if you take any OS and put in hard-coded passwords, or have badly configured web servers running with administrator rights, you have a cluster-fsk coming.

      As for Winnows vs. Linux on the desktop it is, as usual, a complex question. If one is configured and used by a competent person and the other by a total muppet, you can guess what the outcome is without knowing which OS is which.

      If compared on equal terms the two kernels have roughly the same number of serious flaws at any point in time, but Windows "enjoys" a much richer ecosystem of malware to exploit it and sadly many of the past MS decisions to make it easier to use (e.g. hiding file extensions, making execution rights part of the file name, etc) only serve to make matters worse for the average user.

    3. jake Silver badge

      Re: Linux botnet?

      It's not actually a Linux bug. It's a simple rookie scripting error.

      1. sabroni Silver badge
        Meh

        Re: It's not actually a Linux bug. It's a simple rookie scripting error.

        Isn't it strange how this sort of comment gets upvoted when Linux is the host. I wonder if a simple scripting error on Windows would be commented on so favourably....

  3. Anonymous Coward
    Anonymous Coward

    Meh...

    It looks like an advert for Unit 42. If you go to their "report", there's no actionable info there. They claim 70 vendors DVR's have this vulnerability, but they don't name them nor the models affected. So basically, it's just saying "There's a bogey man someplace, but we don't know or won't tell you where."

    1. fidodogbreath

      Re: Meh...

      The blog post link in the second paragraph contains a list of the affected vendors.

      http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

    2. Anonymous Coward
      Anonymous Coward

      Re: Meh...

      "If you go to their report, there's no actionable info there"...

      You mean other than:

      a list of IoCs,

      a link to the blog that lists all the affected vendors,

      links to the related Shodan and Censys searches,

      a detailed breakdown of the C2 communications...

      http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/#ioc

      http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html

      https://www.shodan.io/search?query=%22Cross+Web+Server%22

      https://censys.io/ipv4?q=%22Cross+Web+Server%22

  4. Doctor Syntax Silver badge

    Meanwhile someone seems to have taken an alternative approach to insecure devices: https://www.bleepingcomputer.com/news/security/new-malware-intentionally-bricks-iot-devices/

  5. Anonymous South African Coward Bronze badge

    ...more fun and games, which we don't need.

  6. Anonymous Coward
    Anonymous Coward

    regulation required?

    IoT/Linux botnet "Tsunami" that exploits a year-old but as yet unresolved vulnerability"

    The true vulnerability is the failure to update discovered vulnerabilities in devices. Maybe it will take regulation (think the way the financial system is regulated).

  7. Anonymous Coward
    Anonymous Coward

    https://github.com/freddiebarrsmith/CCTV-Remote-Code-Execution-Metasploit-Module

    I developed a metasploit module for this exploit

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like