This discovery comes fresh on the heels of Mirai, which in 2016 similarly enlisted IoT devices – particularly DVRs and CCTV cameras – into a vast botnet to launch DDoS attacks.
The Trend Micro researchers detected more than 120,000 IP cameras susceptible to ELF_PERSIRAI.A via Shodan, with owners of the devices likely unaware that their device has been enlisted, granting easier access to the miscreants behind the malware to the IP camera's web interface via TCP Port 81.
"IP cameras typically use Universal Plug and Play (UPnP), which are network protocols that allow devices to open a port on the router and act like a server, making them highly visible targets for IoT malware," the researchers explained.
Once logged into the exposed interface, the bad actor can load a command injection to force the IP camera to connect to a download site whereupon shell scripts can be downloaded and executed.
Commands can then be sent from the remote server and cause the affected device to reach out to attack other IP cameras via a zero-day vulnerability that was revealed a few months ago. This will enable attackers to siphon out user password files, equipping them with all they need to do command injections regardless of password strength, the Trend Micro team explained.
But, it doesn't stop there. Commands are then sent from the C&C server to the device commanding it to launch a DDoS attack on other computers using User Datagram Protocol (UDP) floods.
Analysis by the researchers pinpointed an .IR address for the remote server, indicating it originated at an Iranian research institute. The team also detected Persian characters used by the malware author.
"With Mirai code being public it has allowed other coders to develop their own versions of a Mirai-like malware, as seen here with Persirai," Jon Clay, director of global threat communications at Trend Micro, told SC media on Tuesday. "We also regularly see cyber-criminals modify their malware, whether to add more features or to improve ability to obfuscate its code."
There aren't a lot of differences with this new bot from previous malware other than the use of a zero-day vulnerability that allows the threat actor to obtain the device's password, Clay told SC. Mirai used brute force credential stealing whereas this uses a exploit to get the device credentials, he said.
But, the coding does indicate that the bad actors behind it understand that the use of an exploit against a vulnerability can allow them to easily obtain account credentials and will continue to look for and use any new vulnerabilities found within IoT devices, Clay explained.
"As the Internet of Things gains traction with ordinary users, cybercriminals may choose to move away from Network Time Protocol (NTP) and Domain Name System (DNS) servers for DDoS attacks, instead concentrating on vulnerable devices – an issue compounded by users that practice lax security measures," the Trend Micro researchers warned.
As default passwords enable remote attackers to gain access, users are advised to change their default password, ensuring it is it robust.
But, that might not be enough, the Trend Micro team added. Users also should "disable UPnP on their routers to prevent devices within the network from opening ports to the external internet without any warning."
"This new botnet and malware should be a wake-up call for all IoT device owners and manufacturers to ensure they are regularly updating their devices with any new security patches and to support good login credentials," Clay said. "Moving to a two-factor authentication model would be a good option to use if it is available, and if not, manufacturers should invest in supporting it within their devices."