IOT Botnet Persirai

Posted by & filed under List Posts.

Is your CCTV camera staying with the fashionable DDoS trends, switching out its botnet malware like it’s changing its outfit? The rise of more sophisticated and malicious IoT botnet malware is certainly not a laughing matter when these powerful criminal technologies are used to take down websites and online services. However, the rise of other malware strains that are in the same basic category as Mirai (botnet-creation tools leveraging unsecured devices within the Internet of things) does echo the way in which tweaks to established classic clothing staples are released each season, grabbing the real-time headspace of the fashion-conscious.


After all, as we head into the warmer summer months, probably every CCTV camera, and even many DVRs, like to try on new malware. One of the most popular choices this season is Persirai – detected targeting more than 1000 different Internet protocol (IP) camera models, an estimated 122,069 total IP cameras. While cameras that should be considered “under-siege” by this malware are spread across the globe, the United States has the third-most potential targets (8.8%), below only China (20.3%) and Thailand (11.6%).


Mirai’s More Diabolical Cousin Still Under the Radar


Now to be clear, Persirai has not spread nearly as widely as Mirai, which had invaded at least 300,000 devices in 164 countries by October 2016 (and with some reports estimating more than half a million); it’s important to confirm that these more than 100,000 IT devices are at-risk rather than currently under control of the botnet.


The news still isn’t great. Using data gathered via the IoT search engine Shodan, researchers revealed that these 120,000+ IP cameras were configured in such a manner that they could fall victim to ELF_PERSIRAI.A.


Again, Persirai is part of a bigger and growing problem with the Internet of things: the lack of security within it is being used against the Web at large (well, whatever targets are chosen by the botnet’s master).


The reveal of the scope of Persirai is part of a continuing story that really is made for Hollywood. In 2016, the Mirai malware was busy rapidly recruiting (or enslaving, really) hundreds of thousands of CCTV cameras, DVRs, and other IoT devices – forming a massive botnet to be used in delivering a staggering volume of garbage requests for distributed denial of service (DDoS) attacks. Eventually, security researcher Brian Krebs was hit with one of the largest DDoS assaults of all time (September), the source code was released on a hacker forum by its author, and Krebs pointed to the specific individual whom his research concluded had programmed Mirai.


How Does it Work? Are the Device Owners Complicit?


Botnets are fundamentally about people not having control of their devices, and they succeed in large part because users don’t know that their device is being used for illicit purposes. Once the malware enters the device, the master is able to access the web interface of the camera through TCP Port 81, using universal play and play (UPnP).


IP cameras often use UPnP, a set of standards and protocols that allow devices such as intelligent appliances, PCs, and peripherals to be incorporated into a network and recognize each other. Through UPnP, a device can act as a server by opening a port on the router. This technology was widely praised as a functional tool in the past; however, more recently, it has become the increasing topic of security concerns since it presents a clear point of attack.


If a hacker logs into the visible interface, they can direct the camera to a site through which a shell script will download and execute on it. From that point forward, a remote master can transmit commands to the device – and to all devices in its botnet – to invade and inject other vulnerable IP cameras through a zero-day vulnerability uncovered in March. The way that the malware is exploiting the cameras allows it to withdraw password files so that they can perform a command injection no matter how complex your password is.


In this manner, Persirai creates a greater threat than Mirai does. The central goal of Persira and Mirai is the same though: in response to commands from the master server, the IoT devices are used to DDoS target systems via user datagram protocol (UDP) floods. The remote server that is controlling this botnet is a .IR machine (Iran-based), and Persian characters are used in the code.


Persirai is understood in the security community as a spinoff of Mirai since it uses a lot of the code that was open-sourced by Mirai’s author last October. Although Persirai seems to come from a different author, it is also possible that Persirai was created by the original coder to include additional features and make the code more confusing.


The zero-day vulnerability mentioned above – which allows access of the password – is the primary “upgrade” from Mirai to Persirai. While the former takes a brute-force approach to break into devices, this one leverages a security loophole to grab the login details directly.


This new malware is also important because it signals to security researchers that the people behind this particular version of IoT botnet malware have the acumen to understand the use of exploits to gather passwords. Since that’s the case, device users are wise to immediately patch their devices when new vulnerabilities are discovered.


With the rise of the Internet of things among consumers, industry thought-leaders have projected that the perpetrators of DDoS attacks will shift from NTP and DNS servers to unprotected devices. That’s a particular concern because so many everyday users don’t adhere to strong security practices.


To make Internet of things devices safe, users should go beyond simply protecting against Persirai by disabling UPnP (so devices can’t suddenly open ports to the internet) and also change their passwords from the default – after all, those default passwords are the only way Mirai can get access.


Other general and immediate tips for IP camera and IoT security include:


  • Prioritize updating and patching devices.
  • Make your passwords complex and outlaw defaults.
  • Use two-factor authentication if that feature is an option.
  • If 2FA is not available, consider recommending to your device manufacturer that they include it in their next update.


Why is the Internet of Things so Prone to Insecurity?


IP cameras, routers, thermostats, and other IoT devices are often gluttons for punishment when it comes to cyberattack because the original equipment manufacturer (OEM) of the device is focused on reducing time-to-market at the expense of properly protecting their products. The consumers and even businesses who use them may not understand how critical it is to nix default credentials.


The real downside is that we are not headed in the right direction with the Internet of things, even though more devices are coming online all the time. All these additional nodes can potentially be exploited by bad actors. The devices aren’t only footsoldiers for DDoS attacks but can serve as gateways into the network, leading to additional issues such as espionage.




The rise of the Internet of things is a reminder to owners of devices to keep their systems protected, and for all of us to defend ourselves against DDoS attacks from IoT botnets and others. At Total Server Solutions, we help you prevent attacks before they impact your business! See our DDoS Mitigation Solutions.