Infecting DVRs with Bitcoin-mining malware even easier than you suspected

It took just one day for a low-end, Internet-connected digital video recorder to become infected with malware that surreptitiously mined Bitcoins on behalf of the quick-moving attackers.

The feat, documented in a blog post published Monday by researchers at the security-training outfit Sans Institute, was all the more impressive because the DVR contained no interface for downloading software from the Internet. The lack of a Wget, ftp, or kermit application posed little challenge for the attackers. To work around the limitation, the miscreants used a series of Unix commands that effectively uploaded and executed a Wget package and then used it to retrieve the Bitcoin miner from an Internet-connected server.

Monday's observations from Sans CTO Johannes Ullrich are part of an ongoing series showing the increasing vulnerability of Internet-connected appliances to malware attacks. In this case, he bought an EPCOM Hikvision S04 DVR off eBay, put it into what he believes was its factory new condition, and connected it to a laboratory "honeypot" where it was susceptible to online attackers. In the first day, it was probed by 13 different IP addresses, six of which were able to log into it using the default username and password combination of "root" and "12345."

One of the attackers went even further. After gaining root control of the video recorder, the hacker used standard Unix "echo" commands entered through the telnet interface to install a Bitcoin-mining app. Theoretically, the DVR was now solving the complex cryptographic problems required for the operators to mint new digital coins. Using packet-sniffing software to monitor the data the compromised box was sending over the Internet, Ullrich was able to determine it was connecting to a mining server that relies on large numbers of machines to carry out the work.

"Throughout the day, the server periodically pushes parameters to the miner, but I haven't seen the miner return anything yet, which probably underscores the fact that these miners are pretty useless due to their weak CPUs," Ullrich wrote. "The DVR did get infected multiple times, but none of the attackers changed the default password, or removed prior bitcoin miners."

The Hikvision DVR joins a growing list of other devices, including Android smartphones and routers made by Linksys, D-Link, and Asus with Bitcoin-mining malware. As Ullrich notes, the stripped-down hardware contained in these devices makes them an unlikely host for such demanding apps. It's possible attackers are targeting the devices deliberately under the theory that even low-powered devices will deliver results if enough of them are enslaved at one time. It's also possible attackers are indiscriminately taking control of large numbers of devices for laughs or simply because they can.

Ullrich said the Hikvision DVR didn't ask him to change the default password during setup. Even when users move to manually change the passcode, the on-screen keyboard by default is set up to enter only numbers. Given the growing susceptibility of these devices to real-world attacks, DVR designers would do well to make it as easy as possible for owners to choose strong passwords as soon as possible after the devices are unpacked.

Listing image by Yskyflyer