DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

← Back to Stories (view on slashdot.org)

DVRs Used To Attack Synology Disk Stations and Mine Bitcoin

Posted by Unknown on Monday March 31, 2014 @03:58PM from the dvr-burned-the-house-down dept.

UnderAttack (311872) writes "The SANS Internet Storm Center got an interesting story about how some of the devices scanning its honeypot turned out to be infected DVRs. These DVRs are commonly used to record footage from security cameras, and likely got infected themselves due to weak default passwords (12345). Now they are being turned into bots (but weren't they bots before that?) and are used to scan for Synology Disk Stations who are vulnerable. In addition, these DVRs now also run a copy of a bitcoin miner. Interestingly, all of this malware is compiled for ARM CPUs, so this is not a case of standard x86 exploits that happen to hit an embedded system/device."

17 of 75 comments (clear)

Min score:

Reason:

Sort:

Why is anyone surprised... by TWX · 2014-03-31 16:05 · Score: 4, Insightful

...by this?

I'm more surprised that we haven't seen reports of infected DVD and Blu-ray players whose only purpose is to seek out more powerful devices (PCs, smartphones) on peoples' networks to compromise and turn into bitcoin zombies. After all, it only takes a few people to come up with the exploits in the first place, and then 5kr1p7 k1dd13s can use the tools others have created.

--
Do not look into laser with remaining eye.
1. Re:Why is anyone surprised... by fuzzyfuzzyfungus · 2014-03-31 18:42 · Score: 3, Insightful
  
  ...by this? I'm more surprised that we haven't seen reports of infected DVD and Blu-ray players whose only purpose is to seek out more powerful devices (PCs, smartphones) on peoples' networks to compromise and turn into bitcoin zombies. After all, it only takes a few people to come up with the exploits in the first place, and then 5kr1p7 k1dd13s can use the tools others have created.
  The main surprise is just that it's worth the trouble. Synology's high end has a few systems built around notably undistinguished Xeons(more for ECC support than anything else, they don't use very speedy ones); but if this attack is built for ARM, you are talking the relative cheap seats. Probably kilohashes to low megahashes per second, depending on how much capacity you reserve for the intended function of the device.
  
  Even free-as-in-stolen, you're telling me that the best use somebody can think of for a botnet of network attached storage devices is generating maybe as many hashes as one of those cheapo USB-stick ASICs, rather than, say, basking in juicy private data and massive stolen storage space?
2. Re:Why is anyone surprised... by fuzzyfuzzyfungus · 2014-03-31 19:11 · Score: 4, Insightful
  
  If memory serves, most of Synology's non-intel NASes are Marvell based. Marvell's fastest device, in terms of general compute, is the MV78460. 4 cores, ARMv7, up to 1.6GHz. As documented here most Synology NASes ship with something slower than that.
  
  For reference, a 1.6GHz 'Kirkwood' Marvell core is good for slightly under .2 meghashes/s. About half as fast as an Atom CPU, less than 1/4000th as fast as an AMD7970, and just plain embarassing compared to the ASICs that do most of the work these days. With devices that run on USB power alone pulling north of 1gighash/s, you could probably own every Synology ARM NAS in the first world and barely pay yourself for your time.
3. Re:Why is anyone surprised... by Neil+Boekend · 2014-03-31 19:13 · Score: 2
  
  Maybe they also installed a bitcoin botnet to cover up their real "work".
  
  --
  Well, I might have a way, but it only works on a semi spherical planet in a vacuum.
4. Re:Why is anyone surprised... by fuzzyfuzzyfungus · 2014-03-31 19:21 · Score: 2
  
  and Synology devices run ... LINUX.
  Hello folks, I think the 'virus free' honeymoon is over.
  Maybe I'm just pessimistic; but I thought it had been a truism for some years that embedded linux, especially in the cheap seats, was a total clusterfuck: firmware never getting released at all, firmware getting released with exploits that were known before it was even built, loads of shoddy little hacks to get the product out the door, and so on.
5. Re:Why is anyone surprised... by Anonymous Coward · 2014-03-31 21:25 · Score: 3, Informative
  
  For even more perspective: The current hash rate on the Bitcoin network is about 40,000,000 gigahashes per second. With 0.2 megahashes per second, you can expect to earn 3600*0.2/40,000,000,000 Bitcoins per day. That's 0.000000018 Bitcoins (or about two Satoshis) per day. At that rate, it would take 380 years to earn a dollar.
6. Re:Why is anyone surprised... by AmiMoJo · 2014-04-01 00:35 · Score: 2
  
  This suggests that this malware has been around for a long time, dating from back when it was worth mining Bitcoins with a low end CPU. Three or four years maybe.
  We can hope that Bitcoin mining was just a module someone added to it, or was in there from way-back-when and the malware has slowly evolved and added new infection vectors that were only recently discovered. Otherwise it must have been floating around undetected for years, and in the early days might have actually generated some cash.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
7. Re:Why is anyone surprised... by K.+S.+Kyosuke · 2014-04-01 02:15 · Score: 2
  
  Even the best doors and locks won't protect the idiot who leaves them wide open.
  
  --
  Ezekiel 23:20
8. Re:Why is anyone surprised... by Pope · 2014-04-01 02:23 · Score: 4, Informative
  
  Synology's firmware is updated p. regularly in my few month's experience of owning a DiskStation.
  
  --
  It doesn't mean much now, it's built for the future.
9. Re:Why is anyone surprised... by Zero__Kelvin · 2014-04-01 03:14 · Score: 2
  
  This has absolutely nothing at all to do with viruses. Cracking in to a system that has a weak password has quite literally nothing to do with the security of the OS, and everything to do with the lack of security as implemented by the consumer.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Re:I hate April fools on the internet. by nbetcher · 2014-03-31 16:28 · Score: 3, Informative

Unfortunately this does not appear to be a case of April fools. Somehow I wish it were.
I'm confused by viperidaenz · 2014-03-31 16:41 · Score: 2

Interestingly, all of this malware is compiled for ARM CPUs
How else does malware running on ARM based systems work?
Much better this year by AuMatar · 2014-03-31 16:55 · Score: 5, Funny

This april fools is believable.

--
I still have more fans than freaks. WTF is wrong with you people?
Re:Counterfeit by fuzzyfuzzyfungus · 2014-03-31 19:40 · Score: 2

Trying to determine whether a series of hashing operations resulting in a mathematically valid bitcoin is like trying to determine whether or not a file is copyright-infringing by examining it with a hex editor.

Sure, I'd cry approximately -6 tears if the person behind this were to be caught and hauled off, and if he actually managed to mine anything(which would surprise me) I'd have no problem with the notion of his being forced to disburse the minings to his victims; but attempting to determine, from the results of a calculation, whether that calculation was conducted on a CPU not owned by the person who instructed the calculation to be performed is practically a category error. It just doesn't make sense.

If you have outside knowledge(like the arrest and conviction of the cracker), you can make inferences from that(and also use that as a basis for forcing him to disgorge the ill-gotten gains); but absent such additional information, a mathematical operation is what it is, there is no 'licitness' metadata.
Re:Counterfeit by rtb61 · 2014-03-31 21:53 · Score: 2

Of course we all know of a security agency that just positively loves video feeds for it's extortion program anything else just a cover. The interesting part of the story, how honeypots are much better at establishing internet security than engaging in global criminal activity, of course one is about law and order and the other is about criminal extortion with a political basis.

--
Chaos - everything, everywhere, everywhen
Synology vulnerability? by doas777 · 2014-04-01 00:00 · Score: 3, Informative

TFA has very little info on the supposed Synology management interface vulnerability.

I believe this article covers some some of the general info on the vulnerabilities: http://www.symantec.com/connec...
"Bitcoin": Error in reporting? by DrYak · 2014-04-01 00:14 · Score: 3, Informative

That might also be an error in reporting: TFA's Author might have written "bitcoin mining" (for lack of understanding the whole alt-coin ecosystem) when it would be best described as "cryptocurrency miner".
The last few article on /. mentioning mining malware, all said "bitcoin mining" when careful reading showed up that in fact the malware didn't mine bitcoins but another cryptocurrency better suited for CPU (one of the latest I remember was PTShares).
Reporter just say "bitcoin mining" because that's the only thing they know and they vaguely remember that creating bitcoins was something CPU intensive.
The black-hats creating sophisticated malware (a worm, infecting vulnerable connected DVR, so they in turn can attack Synology NAS and launch mining software) aren't probably stupid enough to mine bitcoin, they probably know better, and the miner is for whatever is the current most CPU-worthy (i.e.: non SHA-256^2 baesd) cryptocurrency-coin.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]