Turn a group of surveillance cameras into a botnet? Nothing is easier
For a long time, information security experts have said that modern IoT devices and systems are poorly protected from outside interference. Some of them are not protected at all, and even a schoolboy can crack a gadget or the whole system. About a year ago, specialists from Proofpoint discovered a botnet, the main elements of which were home-based “smart” technology. As it turned out, televisions and even one refrigerator were included in the botnet .
Hack in questionwas carried out between between December 23, 2013 and January 6, 2014. The gadgets that make up the botnet sent emails three times a day in batches of 750 thousand at a time from 100 thousand devices (yes, it was a big botnet) to enterprises and individuals around the world. But it’s easiest for attackers, as it turned out, to use not a refrigerator or a TV, but a security camera connected to the Web to create a botnet.
In this case, it is security cameras that are one of the most common IoT devices. Reports have already been published on the webaccording to which last year around 245 million surveillance cameras were operating around the world. And these are only those that are installed professionally, of which something is known. In addition to them, there are millions of other cameras installed, figuratively speaking, by housewives who do not know anything about security and, accordingly, who have not used the security settings for their devices.
Based on the foregoing, it is not at all surprising that botnets consisting of surveillance cameras are one of the most active. So, recently it became known about an attack like "HTTP flood", with a peak rate of 20,000 requests per second. Incapsula specialists decided to study this attack , who were surprised to find that the botnet included cameras installed near the office of this company.
After a detailed study, it also turned out that default login / password combinations are used to access the settings of most cameras (which is not at all surprising, the scale of this problem is huge). One of the cameras was installed at a shopping center, a five-minute drive from the company’s office. Experts helped the owners of the center configure the cameras correctly, but there were still dozens and hundreds of devices, the owners of which they could not help with all their desire.
Some attack details
As mentioned above, the attack consisted of using HTTP GET floods with a peak rate of 20,000 requests. This traffic was generated by a total of 900 surveillance cameras from around the globe. The target of the attack is a large cloud service serving millions of users around the world.
All the jailbroken devices worked on Linux with BusyBox - a package of Unix utilities, assembled into a single package, and intended for devices with limited resources.
Malware turned out to be an ELF binary for ARM, one of the ELF_BASHLITE variants . This malware scans network devices with BusyBox, looking for Telnet / SSH services that are easy to crack by dictionary bruteforce.
In this case, maleware had the ability to independently launch HTTP Get flood DDoS attacks from compromised devices.
Few requests
$ strings .btce @ #! gfffd gfff root toor admin user guest login changeme 1234 12345 123456 default pass password :>%$# 31.169.77.242:5 (null) /bin/sh /proc/cpuinfo BOGOMIPS PING %d.%d.%d.%d %d.%d.%d.0 ogin: assword: ncorrect /bin/busybox;echo -e '\147\141\171\146\147\164' gayfgt multi-call REPORT %s:%s:%s REPORT %s:%s: Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en] Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; FunWebProducts; .NET CLR 1.1.4322; PeoplePal 6.2) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; MRA 5.8 (build 4157); .NET CLR 2.0.50727; AskTbPTV/5.11.3.15590) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322) Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Mozilla/4.0 (compatible; MSIE 8 .0; Windows NT 6.0; Trident/4.0; Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1); .NET CLR 3.5.30729) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0) Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3 Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3 Mozilla/5.0 (Linux; U; Android 2.2; fr-fr; Desire_A8181 Build/FRF91) App3leWebKit/53.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.5 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.4 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11 Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Mozilla/5.0 (Windows NT 6.0; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (Windows NT 6.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 6.1; rv:2.0b7pre) Gecko/20100921 Firefox/4.0b7pre Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.57 Safari/536.11 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.56 Safari/536.5 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:5.0) Gecko/20100101 Firefox/5.0 Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.229 Version/11.60 GET /%s?%d HTTP/1.1 Host: %s Connection: keep-alive Accept-Encoding: gzip,deflate,sdch Accept: */* Accept-Language: en-US,en;q=0.8 User-Agent: %s Cache-Control: max-age=0 HTTP Failed opening raw socket. Failed setting raw headers mode. Invalid flag "%s" PING PONG! GETLOCALIP My IP: %s SCANNER SCANNER ON | OFF HOLD HOLD Flooding %s:%d for %d seconds. HTTP Flooding %s:%d for %d seconds. JUNK JUNK Flooding %s:%d for %d seconds. UDP Flooding %s for %d seconds. UDP Flooding %s:%d for %d seconds. TCP Flooding %s for %d seconds. KILLATTK Killed %d. None Killed. LOLNOGTFO 8.8.8.8 /proc/net/route MAC: %02X:%02X:%02X:%02X:%02X:%02X BUILD %s PONG %s 2>&1 %s: __is*{_l}(%d,%#x {locale}) /dev/null (nil) +0-#'I npxXoudifFeEgGaACScs hlLjztqZ CAk[S — See more at: www.incapsula.com/blog/cctv-ddos-botnet-back-yard.html#sthash.PBKyc8Hl.dpuf
Access to the hacked cameras was carried out from various places, which may indicate the work of several people.
In conclusion
Despite the fact that such a problem has already been discussed more than a dozen (yes there, a hundred) times, it remains relevant. In some even well-equipped companies, security cameras and IoT devices are treated like ordinary pieces of iron, which you can simply install and forget.
In fact, now even irons (exaggerate, yes) are equipped with a wireless communication module. Therefore, it is better to make sure that no one can access the conditional iron. Otherwise, it can then be excruciatingly painful.