sb-as logo
Story image

Amnesia malware forms DVR botnet and wipes virtual machines

12 Apr 2017

Palo Alto Networks’ Unit 42 researchers have discovered a brand new variant of the “Tsunami” IoT and Linux botnet, dubbed “Amnesia”.

The new variant targets an unpatched remote code execution vulnerability in DVR devices made by TVT Digital and branded by more than 70 vendors worldwide.

That remote code execution vulnerability was made public more than a year ago, but seems to have never been patched. Amnesia can scan, find and attack vulnerable systems, eventually gaining full control of the device.

Around 227,000 devices worldwide have been exposed. In Asia Pacific, Unit 42 researchers say Taiwan, India and Malaysia are the most vulnerable.

Researchers believe the Amnesia malware is the first Linux malware to use virtual machine evasion techniques to defeat sandboxes.

The malware is able to detect if it is running on a VMware, VirtualBox or QEMU virtual machine. If successful, it will wipe the virtualised Linux system by deleting all files on the file system.

Researchers believe the malware’s author was deliberately trying to ‘cause trouble’ for security researchers by inserting a hard-coded but useless string in the code ‘fxxkwhitehats’.

The researchers say Amnesia hasn’t yet been used to conduct large scale attacks, but the Mirai botnet attacks show the potential for major damage to be done.

Researchers say that Amnesia presents key trends when it comes to IoT and Linux botnet threats, most notably that they can evade and wipe virtual machines.

In addition, IoT devices are inherently vulnerable to remote code execution vulnerabilities - particularly those that are produced by smaller manufacturers and have no patches on the market.

In addition, the Amnesia malware relies on hard coded C2 addresses. If these addresses are blocked, it could prevent another large-scale attack such as Mirai.

IoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices.

Story image
Need for greater understanding of data security responsibility as cloud adoption grows - report
Despite the accelerated adoption of cloud services, there was a lack of clarity and confidence regarding the protection and recovery of data stored in public clouds.More
Story image
Attivo Networks expands Active Directory suite for greater protection
"We see Active Directory exploitation used in the majority of ransomware, insider and advanced attacks. We are pleased to now offer our customers early and efficient solutions for preventing the misuse of Active Directory.”More
Story image
Almost a third of malware threats previously unknown - HP report
A new report has found 29% of malware captured was previously unknown due to the widespread use of packers and obfuscation techniques by attackers seeking to evade detection. More
Story image
Hybrid IAM solutions are the way of the future, study states
“As this first-of-its-kind research shows, while IT leaders are faced with unique criteria and conditions that shape their IT strategy, hybrid IAM has emerged as a necessity."More
Story image
ThreatQuotient hits $22.5m in new financing, continues growth streak
“Since we first invested in ThreatQuotient in 2017, their team has continued to prove to the market that there is a critical need for cybersecurity solutions aimed at security operations."More
Story image
Combine endpoint privilege management with these tools for maximum protection
By integrating an EPM solution with additional technologies, teams can manage the entire security tool stack more easily and enhance each component’s effectiveness.More