Unit 42 researchers have identified a new variant of the IoT/Linux botnet Tsunami, which they are calling Amnesia. The Amnesia botnet targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in March 2016 in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide.
The vulnerability affects approximately 227,000 devices around the world with Taiwan, Turkey, and India being among the most exposed. In fact five out of the top 10 areas with compromised devices are in Asia.
Top 10 countries and territories for potentially vulnerable TVT Digital DVR devices:
1. Taiwan 47,170
2. US 44,179
3. Israel 23,355
4. Turkey 11,780
5. India 9,796
6. Malaysia 9,178
7. Mexico 7,868
8. Italy 7,439
9. Vietnam 6,736
10. UK 4,402
Unit 42 researchers noted that the Amnesia malware is likely the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. "Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualised Linux system by deleting all the files in file system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on virtual private servers (VPS) or on public cloud," noted Unit 42 researchers .
According to the three authors, a successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch distributed denial of service (DDoS) attacks similar to the Mirai botnet attacks seen last year.
"Even though this vulnerability was disclosed over a year ago, despite our best efforts, we have been unable to find updates that fix this vulnerability," said the researchers.
Unit 42 is the research arm of Palo Alto Networks. Palo Alto Networks has blocked the domains used by this malware for command and control.
Interested?
Check the list of DVR devices impacted
Read the blog post from Unit 42, which discusses the origins of the malware, its discovery, indicators of compromise and research from other parties
posted from Bloggeroid
Top 10 countries and territories for potentially vulnerable TVT Digital DVR devices:
1. Taiwan 47,170
2. US 44,179
3. Israel 23,355
4. Turkey 11,780
5. India 9,796
6. Malaysia 9,178
7. Mexico 7,868
8. Italy 7,439
9. Vietnam 6,736
10. UK 4,402
Unit 42 researchers noted that the Amnesia malware is likely the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. "Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualised Linux system by deleting all the files in file system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on virtual private servers (VPS) or on public cloud," noted Unit 42 researchers .
According to the three authors, a successful attack results in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch distributed denial of service (DDoS) attacks similar to the Mirai botnet attacks seen last year.
"Even though this vulnerability was disclosed over a year ago, despite our best efforts, we have been unable to find updates that fix this vulnerability," said the researchers.
Unit 42 is the research arm of Palo Alto Networks. Palo Alto Networks has blocked the domains used by this malware for command and control.
Interested?
Check the list of DVR devices impacted
Read the blog post from Unit 42, which discusses the origins of the malware, its discovery, indicators of compromise and research from other parties
posted from Bloggeroid
No comments:
Post a Comment