Home Malware Programs Malware Death Botnet

Death Botnet

Posted: July 25, 2018

The Death Botnet is a series of Trojans that specialize in compromising video surveillance software, and, currently, only target AVTech-brand CCTV products. Although these Trojans don't represent a threat to PCs or mobile phone devices, they can, in conjunction with associated exploits, grant a remote attacker backdoor control over CCTV devices. Organizations at risk should update their CCTV software for removing the existing exploits and reset any compromised passwords.

Incoming Death for Your Camera Security

Although most Trojans arrive with the idea of profiting off of recreational PC users or business entities, some, high-level threats attack more specialized infrastructure than a laptop or a server machine. The Death Botnet campaign, which compromises the permanent, write-only software of CCTV products for unknown goals, is a demonstration of the extreme specificity of some threat actors' attacks. Besides only compromising video surveillance equipment, the Death Botnet also is specific to one brand, Taiwan's AVTech, which malware researchers note is likely due to the availability of convenient security vulnerabilities in outdated versions of the company's equipment.

The vulnerable firmware is built into various network video recorders, digital video recorders, and related surveillance products from AVTech, although the official updates that close these exploits are one year old. The threat actor, operating with the username of EliteLands, is using unknown means of targeting the appropriate CCTV devices but depends on a series of authentication-bypassing and command-injecting exploits for gaining control. After introducing the Death Botnet Trojan to the camera's software via a temporary user account, EliteLands inputs password field-based shell commands that can force device reboots or other behavior at will.

A concurrent botnet, Hide'nSeek or HNS Botnet, also is using the same exploits for compromising AVTech's Internet-of-Things or IoT devices. There is no direct evidence linking the two campaigns together, and this secondary Trojan network is, most likely, doing nothing more than taking advantage of the same, readily-available exploits without being another branch of EliteLands's campaign. Unlike the HNS Botnet, which has an unfinished payload, malware experts are estimating that the Death Botnet is feature-complete, and, like most botnets, gives the remote attacker free reign to control the camera in any means he sees fit.

Keeping the Life Flowing Your Camera System Security

While active monitoring may identify the introduction of new, suspicious user accounts in any CCTV devices, the Death Botnet only uses these accounts for its initial installation and configuration phase temporarily and deletes them after no longer than five minutes. Afterward, workers only may detect a Death Botnet Trojan's presence by noting the unusual behavior that follows from the threat actor's transmission of command shell orders. EliteLands has yet to use the Death Botnet for any coordinated, purposeful attacks, and, currently, maintains the botnet as being a threat of future misdeeds and activities of a nature that he refuses to specify.

Although using strong passwords (as opposed to brute-force-vulnerable ones, such as 'admin' or 'password123') is a security measure malware experts always recommend using, doing so doesn't protect cameras from the exploits that the Death Botnet is using. Workers should update all AVTech devices to their latest available software for removing the vulnerabilities that this Trojan network depends on, and operate under the assumption that passwords on compromised devices also are the threat actor's possession. AVTech also is recommending additional measures, such as avoiding using port 80, for counteracting the Death Botnet's communication infrastructure.

The Death Botnet is an extreme example of the worst that can happen for those who forget to update their hardware when a new security patch becomes available. For the affected companies, the Death Botnet is, so far, an ominous warning whose greatest potential damages and harmful actions remain yet to come.

Loading...