Slashdot Mirror

← Back to Stories (view on slashdot.org)

DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

Posted by Unknown on from the dvr-burned-the-house-down dept.

UnderAttack (311872) writes "The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device."

44 of 75 comments (clear)

  1. Why is anyone surprised... by TWX · · Score: 4, Insightful

    ...by this?

    I'm more surprised that we haven't seen reports of infected DVD and Blu-ray players whose only purpose is to seek out more powerful devices (PCs, smartphones) on peoples' networks to compromise and turn into bitcoin zombies. After all, it only takes a few people to come up with the exploits in the first place, and then 5kr1p7 k1dd13s can use the tools others have created.

    --
    Do not look into laser with remaining eye.
    1. Re:Why is anyone surprised... by Cramer · · Score: 1

      Obviously, you didn't learn much there yourself? 25MHz * ??? = 2.5GHz and that would be one core of a modern CPU. (the answer is 100 by the way.) [Security DVRs are some of the least powerful hardware around. We aren't talking about a current gen Tivo Romio -- which is still a bad choice for mining.]

    2. Re:Why is anyone surprised... by fuzzyfuzzyfungus · · Score: 3, Insightful

      ...by this? I'm more surprised that we haven't seen reports of infected DVD and Blu-ray players whose only purpose is to seek out more powerful devices (PCs, smartphones) on peoples' networks to compromise and turn into bitcoin zombies. After all, it only takes a few people to come up with the exploits in the first place, and then 5kr1p7 k1dd13s can use the tools others have created.

      The main surprise is just that it's worth the trouble. Synology's high end has a few systems built around notably undistinguished Xeons(more for ECC support than anything else, they don't use very speedy ones); but if this attack is built for ARM, you are talking the relative cheap seats. Probably kilohashes to low megahashes per second, depending on how much capacity you reserve for the intended function of the device.

      Even free-as-in-stolen, you're telling me that the best use somebody can think of for a botnet of network attached storage devices is generating maybe as many hashes as one of those cheapo USB-stick ASICs, rather than, say, basking in juicy private data and massive stolen storage space?

    3. Re:Why is anyone surprised... by fuzzyfuzzyfungus · · Score: 4, Insightful

      If memory serves, most of Synology's non-intel NASes are Marvell based. Marvell's fastest device, in terms of general compute, is the MV78460. 4 cores, ARMv7, up to 1.6GHz. As documented here most Synology NASes ship with something slower than that.

      For reference, a 1.6GHz 'Kirkwood' Marvell core is good for slightly under .2 meghashes/s. About half as fast as an Atom CPU, less than 1/4000th as fast as an AMD7970, and just plain embarassing compared to the ASICs that do most of the work these days. With devices that run on USB power alone pulling north of 1gighash/s, you could probably own every Synology ARM NAS in the first world and barely pay yourself for your time.

    4. Re:Why is anyone surprised... by Neil+Boekend · · Score: 2

      Maybe they also installed a bitcoin botnet to cover up their real "work".

      --
      Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
    5. Re:Why is anyone surprised... by fuzzyfuzzyfungus · · Score: 2

      and Synology devices run ... LINUX.

      Hello folks, I think the 'virus free' honeymoon is over.

      Maybe I'm just pessimistic; but I thought it had been a truism for some years that embedded linux, especially in the cheap seats, was a total clusterfuck: firmware never getting released at all, firmware getting released with exploits that were known before it was even built, loads of shoddy little hacks to get the product out the door, and so on.

    6. Re:Why is anyone surprised... by dbIII · · Score: 1

      you're telling me that the best use somebody can think of for a botnet of network attached storage devices

      If criminals were bright enough to think of those other applications they would probably be able to think of the consequences if they get caught.
      Unless you are already doing it how many people would have a clue where to fence stolen credit card numbers let alone any other "juicy private data".
      With bittorrent etc I don't know it "massive stolen storage space" has any value.

      Last word - what the fuck are people doing letting cheap and nasty NAS drives be routable from out on the internet? It's not as if a VPN is hard these days and it's not as if even a $30 piece of gear can keep the nasties out in it's default configuration. These things are only likely to be exposed if somebody fucks up.

    7. Re:Why is anyone surprised... by fuzzyfuzzyfungus · · Score: 1

      'Cheap and nasty' = 'purchased and installed by amateurs trying to save money'. Down that path lies nothing good. Extra demerits are, of course, awarded to any vendor whose shitty 'cloud monitoring' service uPnPs like a madman trying to punch through whatever feeble pretense of security your equally crap router might have provided in order to be 'user friendly' and allow you to watch your house be burglarized from your smartphone or whatnot.

    8. Re:Why is anyone surprised... by SpzToid · · Score: 1

      As an alternative to Synology, how about FreeNAS running on an ITX platform:

      http://www.ixsystems.com/stora...

      Because the software is better supported via the FreeNAS community?

      --
      You can't be ahead of the curve, if you're stuck in a loop.
    9. Re:Why is anyone surprised... by dbIII · · Score: 1

      any vendor whose shitty 'cloud monitoring' service

      Ah - that's the truly special level of stupidity I had not considered.

    10. Re:Why is anyone surprised... by Anonymous Coward · · Score: 1

      This is logical, I can completely see this —why not throw a bitcoin miner in there for fun? At worst, you earn nothing on top of what you're really up to.

    11. Re:Why is anyone surprised... by Anonymous Coward · · Score: 3, Informative

      For even more perspective: The current hash rate on the Bitcoin network is about 40,000,000 gigahashes per second. With 0.2 megahashes per second, you can expect to earn 3600*0.2/40,000,000,000 Bitcoins per day. That's 0.000000018 Bitcoins (or about two Satoshis) per day. At that rate, it would take 380 years to earn a dollar.

    12. Re:Why is anyone surprised... by gl4ss · · Score: 1

      the cheap and nasty nas drive isn't visible to internet but has access to internet.. that's a quite common setup. but the dvr's themselves are connected to the internet(so that their owners can see the video feeds on their ipads...).

      --
      world was created 5 seconds before this post as it is.
    13. Re:Why is anyone surprised... by coastwalker · · Score: 1

      Completely agree, the bitcoin miner is just the headline. The rest of it is to scan the contents of the NAS, I wonder which government owns them?

      --
      Facts are history now plebs have politics for religion on social media.
    14. Re:Why is anyone surprised... by Lumpy · · Score: 1

      Because only complete and utter morons put their DVD player directly on the internet. While a security DVR is required to be in the internet or accessible via the internet for remote viewing.

      It's why I simply point and laugh at the fools that all herald ipv6 where they can have a public IP for every device. Only idiots want that, those of us that are sane only want public facing IP for the devices that need it.

      --
      Do not look at laser with remaining good eye.
    15. Re:Why is anyone surprised... by AmiMoJo · · Score: 2

      This suggests that this malware has been around for a long time, dating from back when it was worth mining Bitcoins with a low end CPU. Three or four years maybe.

      We can hope that Bitcoin mining was just a module someone added to it, or was in there from way-back-when and the malware has slowly evolved and added new infection vectors that were only recently discovered. Otherwise it must have been floating around undetected for years, and in the early days might have actually generated some cash.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    16. Re:Why is anyone surprised... by Anonymous Coward · · Score: 1

      >> Because only complete and utter morons put their DVD player directly on the internet

      Welcome to DVD player.

      Choose WIFI network. [click]

      Input WIFI password [click]

      Thank you, enjoy.

    17. Re:Why is anyone surprised... by cusco · · Score: 1

      And pretty much every single process running as root. On a lot of dedicated security DVRs, especially the cheap ones, root is the only user too. If you wanted to see a true clusterfuck of Linux programming just needed take one of the GE brand security DVRs out of the box. Now that they've sold their security products to United Technologies the situation has supposedly improved, but I have my doubts.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    18. Re:Why is anyone surprised... by cusco · · Score: 1

      I work in the security industry, and you would be absolutely shocked at some of the work being done out there. The residential and retail markets are absolutely the worst, since there's no money to be made there unless you're pumping out dozens of slipshod installations per week per installer. For most of those guys their level of technical expertise is that they can find porn and Facebook on the Internet.

      a security DVR is required to be in the internet or accessible

      Huh? Not just 'NO' but 'NO FUCKING WAY NO'. Even most of the iToys have a VPN client, there is absolutely no reason to put any security device on the Internet for any reason (except maybe as a honeypot).

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
    19. Re:Why is anyone surprised... by K.+S.+Kyosuke · · Score: 2

      Even the best doors and locks won't protect the idiot who leaves them wide open.

      --
      Ezekiel 23:20
    20. Re:Why is anyone surprised... by Pope · · Score: 4, Informative

      Synology's firmware is updated p. regularly in my few month's experience of owning a DiskStation.

      --
      It doesn't mean much now, it's built for the future.
    21. Re:Why is anyone surprised... by Zero__Kelvin · · Score: 2

      This has absolutely nothing at all to do with viruses. Cracking in to a system that has a weak password has quite literally nothing to do with the security of the OS, and everything to do with the lack of security as implemented by the consumer.

      --
      Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
    22. Re:Why is anyone surprised... by tlhIngan · · Score: 1

      This suggests that this malware has been around for a long time, dating from back when it was worth mining Bitcoins with a low end CPU. Three or four years maybe.

      Uh, why is CPU mining pointless today? Because the returns are so low?

      Yes, the returns are very low. However, they're non-zero. So if you can find a pile of computing devices that you can use for FREE, even if you only earn 0.001 BTC a day, that's still a positive ROI for you.

      Now couple that with millions of PCs, routers, DVRs, etc., and suddenly 0.001 BTC per day per device on average is not too shabby anymore. Even 0.000001 BTC still makes it worthwhile.

      Remember, the cost of the equipment, electricity, etc is FREE to the miner.

      Hell, there are plugins to Unity (the game engine) that does Bitcoin mining for developers to release free-to-play games, as well. (Presumably for both computers and mobile devices, so no, the game is not heating the CPU because its got awesome graphics and play, but because it's mining behind your back).

      The ROI of CPU mining is high when the I is low

  2. Re:I hate April fools on the internet. by nbetcher · · Score: 3, Informative

    Unfortunately this does not appear to be a case of April fools. Somehow I wish it were.

  3. I'm confused by viperidaenz · · Score: 2

    Interestingly, all of this malware is compiled for ARM CPUs

    How else does malware running on ARM based systems work?

    1. Re:I'm confused by fuzzyfuzzyfungus · · Score: 1

      It's JVMs all the way down. Except for the one that's actually Dalvik and willing to go head-to-head with Oracle to prove it.

  4. Much better this year by AuMatar · · Score: 5, Funny

    This april fools is believable.

    --
    I still have more fans than freaks. WTF is wrong with you people?
  5. Re:I hate April fools on the internet. by exomondo · · Score: 1

    I hate April fools on the internet... April fools only works in person, it is just dumb and possibly dangerous on the internet.

    Posted by Unknown Lamer on Monday March 31, 2014 @11:58PM

  6. Counterfeit by Oligonicella · · Score: 1, Interesting

    These should be considered counterfeit. True, they are probably good bitcoins in the accuracy department, but by no stretch of the imagination could they be considered legitimately mined. Is there a mechanism built into the bitcoin structure that allows for this and voids the coins?

    1. Re:Counterfeit by Anonymous Coward · · Score: 1

      There is not, unless 51% of the network refuses to continue work on any chain containing a transaction that spent these balances.

      Bitcoin was designed this way with no central control because many in the community see the ability for others to arbitrarily decide someone's money is worthless to be a bug, not a feature.

    2. Re:Counterfeit by fuzzyfuzzyfungus · · Score: 2

      Trying to determine whether a series of hashing operations resulting in a mathematically valid bitcoin is like trying to determine whether or not a file is copyright-infringing by examining it with a hex editor.

      Sure, I'd cry approximately -6 tears if the person behind this were to be caught and hauled off, and if he actually managed to mine anything(which would surprise me) I'd have no problem with the notion of his being forced to disburse the minings to his victims; but attempting to determine, from the results of a calculation, whether that calculation was conducted on a CPU not owned by the person who instructed the calculation to be performed is practically a category error. It just doesn't make sense.

      If you have outside knowledge(like the arrest and conviction of the cracker), you can make inferences from that(and also use that as a basis for forcing him to disgorge the ill-gotten gains); but absent such additional information, a mathematical operation is what it is, there is no 'licitness' metadata.

    3. Re:Counterfeit by rtb61 · · Score: 2

      Of course we all know of a security agency that just positively loves video feeds for it's extortion program anything else just a cover. The interesting part of the story, how honeypots are much better at establishing internet security than engaging in global criminal activity, of course one is about law and order and the other is about criminal extortion with a political basis.

      --
      Chaos - everything, everywhere, everywhen
  7. management fools by dltaylor · · Score: 1

    But when you've actually been asked by management whether you've implemented RFC 3514 (the "Evil Bit"), how can the Internet NOT be better?

  8. Re:But did you not already know that this is the w by JustOK · · Score: 1

    Bird is the word

    --
    rewriting history since 2109
  9. Re:I hate April fools on the internet. by evilviper · · Score: 1

    Posted by Unknown Lamer on Monday March 31, 2014 @11:58PM

    The date/time you see on the story depends on your timezone. Yet it doesn't put everyone else into a time-warp where it's not April 1st for them...

    This story absolutely was posted on April 1st, /. local time, as evidenced by the date embedded in the link to it:

    http://it.slashdot.org/story/1...

    --
    Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
  10. Re:Worth by fuzzyfuzzyfungus · · Score: 1

    I don't have an exact answer, Synology ARM devices vary, though mostly Marvell based; but for reference the 'Sheevaplug', based on a slightly obsolete Marvell storage processor, is quoted to be good for about .2 megahashes/second. I don't keep up with bitcoin difficulties, just don't care that much; but with USB-stick ASIC devices claiming 1 gigahash/second and greater, you'd need to own a mind-boggling number of these things to make it worth the time.

    It's doubly weird because NASes probably have some neat stuff stashed on them, and would also be natural hosts for some sort of 'super-sleazy-CDN' type project, which would be equally illicit but might actually be worth more than a lukewarm cup of instant coffee.

  11. Well the laundry thought by Chrisq · · Score: 1

    Well the laundry thought they may as well make SCORPION STARE self-funding by mining bitcoins. Its fortunate the researchers did not activate the primary function

  12. Synology vulnerability? by doas777 · · Score: 3, Informative

    TFA has very little info on the supposed Synology management interface vulnerability.

    I believe this article covers some some of the general info on the vulnerabilities: http://www.symantec.com/connec...

  13. "Bitcoin": Error in reporting? by DrYak · · Score: 3, Informative

    That might also be an error in reporting: TFA's Author might have written "bitcoin mining" (for lack of understanding the whole alt-coin ecosystem) when it would be best described as "cryptocurrency miner".
    The last few article on /. mentioning mining malware, all said "bitcoin mining" when careful reading showed up that in fact the malware didn't mine bitcoins but another cryptocurrency better suited for CPU (one of the latest I remember was PTShares).
    Reporter just say "bitcoin mining" because that's the only thing they know and they vaguely remember that creating bitcoins was something CPU intensive.

    The black-hats creating sophisticated malware (a worm, infecting vulnerable connected DVR, so they in turn can attack Synology NAS and launch mining software) aren't probably stupid enough to mine bitcoin, they probably know better, and the miner is for whatever is the current most CPU-worthy (i.e.: non SHA-256^2 baesd) cryptocurrency-coin.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  14. Probably *NOT* bitcoins by DrYak · · Score: 1

    As I've mentionned above, it's probably NOT bitcoins being mined.
    The last few article on /. mentioning mining malware, all said "bitcoin mining" when careful reading showed up that in fact the malware didn't mine bitcoins but another cryptocurrency better suited for CPU (one of the latest I remember was PTShares).
    Reporter just say "bitcoin mining" because that's the only thing they know and they vaguely remember that creating bitcoins was something CPU intensive.

    If the black-hats are smart enough to think this contrived way to infect the synology (infect first the "always on internet" DVR and only then, once you're on the other side of the firewall, start scanning the home intra-net for NAS hidden behind the firewall), perhaps they are also able to pick a CpU worthy (ie.: not SHA-256^2 based) cryptocurrency coin.

    Even free-as-in-stolen, you're telling me that the best use somebody can think of for a botnet of network attached storage devices is generating maybe as many hashes as one of those cheapo USB-stick ASICs, rather than, say, basking in juicy private data and massive stolen storage space?

    While you're at it, it's best to take as much opportunity as possible.
    - you can "safely" mine on a nas, because the clueless user won't notice a heavily degraded performance (unlike on their desktop).
    - you can pick-up a coin which won't be beaten by cheapo USB ASICs: math based coins (like PrimeCoin, RieCoin, etc.) are still mined on CPUs. SHA3 based coins (CopperLark, QuarkCoin, etc) don't have an efficient GPU implementation yet. SCrypt-based coins are some memory-intensive, that the jump between hardware generations doesn't yield such a strong difference in hash rate: even if the current mining is mostly done on GPU and some early experimental FPGA, high-end server CPU can still give Litecoin for their run. (so even if the ARM inside NAS isn't that powerful, a whole botnet mining Litecoin could still earn some money back).

    And last but not least:
    - that the worm download a payload for mining bitcoins, doesn't prevent the the worm to also download a payload for scanning credit-cards numbers, SSN, naked photos, etc.
    So don't despair, the massive stolen storage space will also be juiced for all it's worth.

    The coin-mining at least is low bandwidth, and it's possible for the blackhats to check if their plan is working just by looking at the income on the cryptocurrency address used for mining. Scanning the stolen storage space would be much more bandwidth intensive (the victim would notice that "their internet has become slow").

    On the other hand, getting that money out of the botnet and into the black-hat's pockets is going to be tough:
    cryptocurrency aren't anonymous. in fact they work based on the exact opposite: every single transaction is boardcaster to the whole network. While this provide good security against counterfeit wiithout needing a central authority (the whole point of the bitcoin protocole), that also means that anyone can follow the transaction following this mining.
    If the hackers indeed used a rare CPU-based coin, that means that they can't do much except exchange it on one of the few major exchange which accepts even very minor coins (like cryptsy). That means it's rather easy for law forces to collaborate with cryptsy to try and catch any transaction with coins coming from this mining- then it's just a question of matching this transaction with user profiles and/or follow the money trail further.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  15. Yes and no by DrYak · · Score: 1

    Is there a mechanism built into the bitcoin structure that allows for this and voids the coins?

    Is there a mechanism built into hard cash that allows to void the silvercoins/bank bills to be remotely voided? No.
    And basically any cryptocurrency works the same. There's by definition NO SINGLE ENTITY in control of the bitcoin protocol (that's the whole point of it).
    so nobody could remotely void any coin. (but at least that means that legally earned crypto-mony won't suddenly vanish neither... no fraudulous chargebacks on the bitcoin network)

    On the other hand, cryptocurrencies aren't anonymous. At all. In fact they are (again by definition) the exact opposite: every signle transaction is broadcasted to the whole network. That really helps the security (thus every single node on the network can check and verify all transaction) without needs for a central authority (see previous point). But that also means that anyone can follow transaction a follow money jumping from one public key to another.

    As the blackhats aren't probably mining actual bitcoins, but some minor alt-coins which is much more mine-able on CPUs, at some point, they'll need to exchange it for something more easily spendable. So they need to send them to one of the (few) exchanges accepting less known coins (Probably cryptsy).
    Law forces could collaborate with exchanges and try to catch transaction whose coins can all be traced back to the initial mining by this botnet.
    Then it's a matter of matching transaction with profiles registered at the exchange or further following the money trail.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  16. Pointless? by countach · · Score: 1

    At the current bit coin difficulty, I would have thought even a large botnet of conventional CPUs would be pretty pointless.

  17. probably mining an alt coin by markass530 · · Score: 1

    impossible to make any cash mining bitcoin this way, probably mining primecoin or one of the other CPU based alt coins

  18. I hear tell... by swschrad · · Score: 1

    that if you DVR fishing shows, you spread worms, too

    --
    if this is supposed to be a new economy, how come they still want my old fashioned money?