Persirai Botnet

The Persirai Botnet is a network of infected IoT devices that involves DVRs and security cameras from the USA, Brazil, Mexico, China, Japan and South Korea. The Persirai Botnet is based on the source code of the Mirai Botnet, but it has added functionality. The developers of the Persirai Botnet implemented exploits of software vulnerabilities in addition to the use of default passwords for various IoT models. The Persirai Botnet is controlled via tiered 'Command and Control' servers, and it is tough to bring down. Some of the latest security reports suggest the Persirai Botnet consists of more than 120,000 compromised IP cameras.

The Persirai Botnet is designed to use the Universal Plug and Play (UPnP) network protocol and reach DVRs and cameras behind poorly protected routers. The Persirai Botnet sends specially crafted requests to potentially vulnerable devices so that the device is forced to connect to a download page, write the file to its storage and execute it. The file provided via the Persirai Botnet is a script, which is loaded in the memory, and it is deleted from the local storage. Considering that IP cameras and DVRs are usually kept online constantly, there is almost no need to re-install the Persirai agent again. Once the IoT device is attached to the Persirai Botnet, it will receive commands on what IP addresses it should flood with UDP (User Datagram Protocol) requests. Thus, the compromised devices are weaponized to launch DDoS (Distributed Denial of Service) attacks on targeted sites.

The Web traffic from the Persirai Botnet might enable threat actors to freeze sites, disable access to Web services, and turn video streaming into a nightmare for users. The Persirai Botnet is known to exploit the following vulnerabilities in ‘cloud’ cameras — CVE-2017-8221, CVE-2017-8222, CVE-2017-8223, CVE-2017-8224 and CVE-2017-8225. It is recommended to make sure your cameras and DVRs are protected adequately, and remote administration accounts on your system have secure encryption enabled. You may want to check if your devices are running the latest firmware version available and reset potentially compromised devices as needed.