Mirai

Until now, all malware targeting IoT devices survived only until the user rebooted his equipment, which cleared the device's memory and erased the malware from the user's equipment.

Intense Internet scans for vulnerable targets meant that devices survived only minutes until they were reinfected again, which meant that users needed to secure devices with unique passwords or place behind firewalls to prevent exploitation.

New vulnerability allows for permanent Mirai infections

While researching the security of over 30 DVR brands, researchers from Pen Test Partners have discovered a new vulnerability that could allow the Mirai IoT worm and other IoT malware to survive between device reboots, permitting for the creation of a permanent IoT botnet.

"We’ve [...] found a route to remotely fix Mirai vulnerable devices," said Pen Test Partners researcher Ken Munro. "Problem is that this method can also be used to make Mirai persistent beyond a power off reboot."

Understandably, Munro and his colleagues decided to refrain from publishing any details about this flaw, fearing that miscreants might weaponize it and create non-removable versions of Mirai, a malware known for launching some of the biggest DDoS attacks known today.

Other flaws could bring back Mirai from the dead

But their research didn't stop here. The Pen Test team also discovered other vulnerabilities and details that Mirai could exploit to become relevant and even a larger threat than it was before.

⧐ New DVR default credentials that could be added to Mirai's built-in worm component (which spreads to new devices by launching brute-force attacks on the Telnet port using a list of default admin credentials)
⧐ A non-standard Telnet port (12323) that some DVRs used as an alternative to the standard Telnet port 23.
⧐ A remote shell on some DVR brands when authenticating via port 9527 with credentials "admin/[blank]" and "admin/123456."
⧐ A DVR brand that used daily-changing passwords, which were unfortunately published online in its documentation.
⧐ A buffer overflow bug present in the firmware of over 1 million Internet-connected DVRs. Researchers claim this bug could be exploited via port 80, which is the DVR's built-in web server. This server comes enabled by default for most devices to allow users to manage DVRs from a remote location.
⧐ A directory traversal bug that allows attackers to recover password hashes from remote DVRs.

All of these, if exploited, could allow attackers to blow new life into Mirai, an IoT malware family that has been slowly losing ground to newcomers such as Persirai, BrickerBot, or the older Hajime worm.

Vendors working to protect devices from future IoT malware

In addition, last week, Dahua Technologies, one of the companies whose devices were one of the main cannon fodder for Mirai DDoS botnets, announced a partnership with Synopsys Solutions, a cyber-security company, with the intent of improving the firmware of its devices against IoT malware.

This is the second DVR vendor that takes action against Mirai after last year Hangzhou Xiongmai Technology announced it would recall several types of IP cameras that were vulnerable to Mirai malware.

Unfortunately, Xiongmai couldn't do the same for its line of DVRs, which the company created and sold as white-label products to a large number of other vendors, who slapped their logo on top and resold the DVRs as their own products.

In their most recent research, the Pen Test crew tracked down most of the DVRs vulnerable to Mirai attacks to the white-label DVRs sold by Xiongmai, and a tool called "makepack," which Xiongmai provided to vendors that bought its white-label DVRs.

"We believe this is the root cause of the Mirai issue," Munro explains, "XiongMai provided insufficient customization detail to the DVR vendors, resulting in default creds being found in production systems."