New Botnet on the Block – Persirai

Twitter: @darrell_kesti

Move over Mirai, there is a new IoT botnet on the block – Persirai (Persian Mirai). This has been an interesting one to watch. First, this botnet was recently discovered by cybersecurity researches at Trend Micro (article here) and it targets 1,000 different models of vulnerable IP Cameras…yeah you didn’t misread that, 1,000 different types of cameras. The Trend team so far has found 122,069 infected IP Cameras across the globe by leveraging the Shodan IoT Search engine. The compromised devices have been found in China, Japan, Europe, and the Americas. So, what makes Persirai tick, and more importantly here are a few tips to Detect, Respond, and Contain impacted devices in your network?

Here are a few key items that make Persirai unique:

First, the attack targets the management web interface of the cameras.
These cameras use the Universal Plug and Play (UPnP) protocol that allows a device to open a port on a router, and act like a server bypassing the firewall security policy….well isn’t that convenient. :) To learn more about this protocol, check this out.
Once the device is accessed, the botnet injects a command to force the camera to connect to an Iranian download site – http://ntp.gtpnet.ir
Upon connecting to the download site, a malicious script is executed to install the malware.
After the install, the malware deletes itself and then runs in memory only. If you reboot, the malware stops, but you are still vulnerable to re-attack.
Now that you are infected, you are part of the botnet looking for other hosts and ready to be used by the attacker for other activities. Welcome to the party.

OK, so we know how this thing works now. What can you do about it?

Visibility: You can’t secure what you cannot see. You should be asking yourself, what is the inventory of IP Cameras deployed in our environment? If you are relying on an excel spreadsheet to do this, you do not really know what is out there. Technology exists to help you with automated Discovery and Classification of assets on your network, like IP Cameras. :)
Device Posture: OK, you found the cameras. What next?
- Confirm that the default admin passwords have been changed.
- Validate that the devices cannot be reached from the Internet. Specifically, any admin ports…commonly port 81.
- If the cameras are reaching out to the Internet, or are connected to a router, make sure that UPnP is not enabled on the router / firewall device.
Detection: So you found the devices, you validated their posture. How can you detect an attack if it occurs?
- DNS / Web Proxy: There appear to be 4 sites used for the Command and Control infrastructure of the botnet today. You will want to make sure these are blocked in your DNS and Web Proxy systems.
  Here they are: load.gtpnet.ir, ntp.gtpnet.ir, 185.62.189.232, 95.85.38.103.
  Any traffic to these sites should alert your security response teams.
- Segmentation / Positive Security: You should isolate your security cameras from internal resources in your network, via VLAN segmentation, ACLs, or Firewall rules. A positive security approach should be deployed that only allows communications from your cameras to the specific sites and internal systems the cameras need to operate. Disable protocols like UPnP to prevent dynamically openning up service ports. Building these controls will reduce your attack surface and create alerts if a device starts communicating in an unapproved or potentially harmful manner. It will help you with variants of Persiraj and other future botnets as well.
Response / Containment:
- You should develop a plan on how to contain devices should you detect any Persirai malware behavior. This can be done with manual intervention, or by deploying technology to automate your response policy and workflow when an infected device is detected.

Stay tuned for future IoT based botnets, I have a feeling there are more to come.