Palo Alto Networks’ Unit 42 researchers have discovered a brand new variant of the “Tsunami” IoT and Linux botnet, dubbed “Amnesia”.
The new variant targets an unpatched remote code execution vulnerability in DVR devices made by TVT Digital and branded by more than 70 vendors worldwide.
That remote code execution vulnerability was made public more than a year ago, but seems to have never been patched. Amnesia can scan, find and attack vulnerable systems, eventually gaining full control of the device.
Around 227,000 devices worldwide have been exposed. In Asia Pacific, Unit 42 researchers say Taiwan, India and Malaysia are the most vulnerable.
Researchers believe the Amnesia malware is the first Linux malware to use virtual machine evasion techniques to defeat sandboxes.
The malware is able to detect if it is running on a VMware, VirtualBox or QEMU virtual machine. If successful, it will wipe the virtualised Linux system by deleting all files on the file system.
Researchers believe the malware’s author was deliberately trying to ‘cause trouble’ for security researchers by inserting a hard-coded but useless string in the code ‘fxxkwhitehats’.
The researchers say Amnesia hasn’t yet been used to conduct large scale attacks, but the Mirai botnet attacks show the potential for major damage to be done.
Researchers say that Amnesia presents key trends when it comes to IoT and Linux botnet threats, most notably that they can evade and wipe virtual machines.
In addition, IoT devices are inherently vulnerable to remote code execution vulnerabilities - particularly those that are produced by smaller manufacturers and have no patches on the market.
In addition, the Amnesia malware relies on hard coded C2 addresses. If these addresses are blocked, it could prevent another large-scale attack such as Mirai.
IoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices.