Palo Alto’s Unit 42 has identified a new variant of the IoT/Linux botnet “Tsunami” dubbed “Amnesia” that targets commercial grade closed circuit TV DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide. About 227,000 devices are affected. Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems. Successful attacks result in Amnesia gaining full control of the device. Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks like the Mirai botnet attacks
Amnesia is believed to be the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes more commonly associated with Microsoft Windows and Google Android malware. Amnesia tries to detect whether it is running in a VirtualBox, VMware or QEMU based virtual machine. If it detects those environments it will wipe the virtualised Linux system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on the public cloud. Palo Alto Networks says that the aim is to make these machines part of a massive botnet that can be used for DDoS and other attacks. The only protection at present is to block access to the Command and Control Networks and use network protection that does this. No patch has been released by the maker TVT.
Palo Alto Networks adds that the malware reveals some interesting and notable trends of current IoT/Linux botnet threats:
• IoT/Linux malware has begun to adopt classic techniques to evade and even wipe virtual machines.
• IoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices. These are typically manufactured by smaller manufacturers and there may be no patch available so network security is the only solution.
• IoT/Linux malware may also affect Linux servers deployed in VPS or in public cloud.