Until now, all malware targeting IoT devices survived only until the user rebooted his equipment, which cleared the device's memory and erased the malware from the user's equipment.
Intense Internet scans for vulnerable targets meant that devices survived only minutes until they were reinfected again, which meant that users needed to secure devices with unique passwords or place behind firewalls to prevent exploitation.
While researching the security of over 30 DVR brands, researchers from Pen Test Partners have discovered a new vulnerability that could allow the Mirai IoT worm and other IoT malware to survive between device reboots, permitting for the creation of a permanent IoT botnet.
"We’ve [...] found a route to remotely fix Mirai vulnerable devices," said Pen Test Partners researcher Ken Munro. "Problem is that this method can also be used to make Mirai persistent beyond a power off reboot."
Understandably, Munro and his colleagues decided to refrain from publishing any details about this flaw, fearing that miscreants might weaponize it and create non-removable versions of Mirai, a malware known for launching some of the biggest DDoS attacks known today.
But their research didn't stop here. The Pen Test team also discovered other vulnerabilities and details that Mirai could exploit to become relevant and even a larger threat than it was before.
All of these, if exploited, could allow attackers to blow new life into Mirai, an IoT malware family that has been slowly losing ground to newcomers such as Persirai, BrickerBot, or the older Hajime worm.
In addition, last week, Dahua Technologies, one of the companies whose devices were one of the main cannon fodder for Mirai DDoS botnets, announced a partnership with Synopsys Solutions, a cyber-security company, with the intent of improving the firmware of its devices against IoT malware.
This is the second DVR vendor that takes action against Mirai after last year Hangzhou Xiongmai Technology announced it would recall several types of IP cameras that were vulnerable to Mirai malware.
Unfortunately, Xiongmai couldn't do the same for its line of DVRs, which the company created and sold as white-label products to a large number of other vendors, who slapped their logo on top and resold the DVRs as their own products.
In their most recent research, the Pen Test crew tracked down most of the DVRs vulnerable to Mirai attacks to the white-label DVRs sold by Xiongmai, and a tool called "makepack," which Xiongmai provided to vendors that bought its white-label DVRs.
"We believe this is the root cause of the Mirai issue," Munro explains, "XiongMai provided insufficient customization detail to the DVR vendors, resulting in default creds being found in production systems."