Mirai botnet army could have been larger and more destructive
Mirai botnet army could have been larger and more destructive

The massive Mirai distributed denial of service (DDoS) attack that took down Dyn DNS last fall knocking out dozens of high-profile websites could have been much worse if the malicious actors had done a bit more research. 

Researchers at Pen Test Partners found seven additional vulnerabilities in 30 different DVR brands it tested, including a buffer overflow port that could have placed an additional one million botnets under their control and a way to patch a DVR against Mirai that can also make the malware persistent on the device. Other findings include the ability to use a DVR to turn off a home alarm.

Pen Test also believes Chinese manufacturer XiongMai, which produces many of the DVRs on the market, is the true common denominator behind the problems found.

Possibly the biggest flaw overlooked by the Mirai attackers was an exploitable buffer overflow over port 80. Port 80 is normally used to allow remote viewing of the stored video.

“This likely to make for a scary botnet; as port 80 is more likely to be externally available – it's required for remote access from a smartphone to remotely view DVR video feeds. We found a number of XM based DVRs that didn't offer telnet by default, but did publish port 80. This suggests that the potential botnet that could be created could easily be larger than could be created by Mirai,” Pen Test researcher Ken Munro said, adding this could have added up to an extra one million devices being recruited for the botnet army.

The folks at Pen Test also found a way to potentially maintain the size of the any Mirai botnet army assembled by being able to make the issue persistent, but the team did not offer any additional information in order to keep the vulnerability under wraps.

“We've also found a route to remotely fix Mirai vulnerable devices. Problem is that this method can also be used to make Mirai persistent beyond a power off reboot. Hajime and BrickerBot used a different, less effective method. Do we publish or not? Currently we're thinking not,” Munro said.

Munro also described what he called the root cause that enables these DVRs to be used as botnets. Since XiongMai is a white label manufacturer, it has created a utility that shows its customers how to customise the DVRs to fit their needs. The utility covers basics like branding, functionality and credentials, but also how to pack new binaries for each DVR.

“This was the motherlode!” Munro wrote, “It creates a single monolithic binary called ‘Sofia' which provides all DVR and remote access functionality. We believe this is the root cause of the Mirai issue – XiongMai provided insufficient customisation detail to the DVR vendors, resulting in default creds being found in production systems.”

One other flaw discussed centres on the RS232 (Bluetooth) interface most DVRs have in order to connect or monitor other devices. Because so many home security systems now include a camera it is quite common to connect these to a DVR to store the video. However, Pen Test found it possible to go through the connected DVR and deactivate the house alarm.