Until now, all malware targeting IoT devices survived only until the user rebooted his equipment, which cleared the device’s memory and erased the malware from the user’s equipment.
Intense Internet scans for vulnerable targets meant that devices survived only minutes until they were reinfected again, which meant that users needed to secure devices with unique passwords or place behind firewalls to prevent exploitation.
New vulnerability allows for permanent Mirai infections
While researching the security of over 30 DVR brands, researchers from Pen Test Partners have discovered a new vulnerability that could allow the Mirai IoT worm and other IoT malware to survive between device reboots, permitting for the creation of a permanent IoT botnet.
“We’ve […] found a route to remotely fix Mirai vulnerable devices,” said Pen Test Partners researcher Ken Munro. “Problem is that this method can also be used to make Mirai persistent beyond a power off reboot.”
Understandably, Munro and his colleagues decided to refrain from publishing any details about this flaw, fearing that miscreants might weaponize it and create non-removable versions of Mirai, a malware known for launching some of the biggest DDoS attacks known today.
Other flaws could bring back Mirai from the dead
But their research didn’t stop here. The Pen Test team also discovered other vulnerabilities and details that Mirai could exploit to become relevant and even a larger threat than it was before.
⧐ New DVR default credentials that could be added to Mirai’s built-in worm component (which spreads to new devices by launching brute-force attacks on the Telnet port using a list of default admin credentials)
⧐ A non-standard Telnet port (12323) that some DVRs used as an alternative to the standard Telnet port 23.
⧐ A remote shell on some DVR brands when authenticating via port 9527 with credentials “admin/[blank]” and “admin/123456.”
⧐ A DVR brand that used daily-changing passwords, which were…