Amnesia, a variant of the Tsunami IoT/Linux botnet, targets an unpatched remote code execution vulnerability in DVR devices produced by China-based firm, TVT Digital Technology Co., Ltd. This vulnerability was disclosed on March 22, 2016 by security researcher Rotem Kerner on his website, According to Palo Alto Networks research team, Unit 42, this vulnerability impacts approximately 227,000 devices worldwide, with the largest amount of vulnerable devices located in Taiwan, the US, Israel, Turkey, and India. Unit 42 believes that Amnesia is the first Linux malware that employs VM detection and evasion techniques to prevent malware analysis. It can detect whether or not it is running within VirtualBox, VMware, or QEMU and, if it is, Amnesia will wipe the VM and delete all of the files in the file system. If it is not running in a VM, Amnesia scans for vulnerable devices and, when located, it sends four HTTP requests to the device that contain exploit payloads of shell commands. These shell commands create a shell script file that, when executed, connects with a C2 server to continue the compromise. This results in full control over the device and the attacker can then execute additional commands and launch DDoS attacks against targets. To date, Amnesia has not yet been used to launch a large-scale DDoS attack, but Unit 42 believes that it could be used to launch attacks similar in size to those launched by the Mirai botnet. TVT Digital Technology Co., Ltd. has yet to release a patch to address this vulnerability.

Reporting and Technical Details

  • March 2016: Remote Code Execution in CCTV-DVR Affecting over 70 Different Vendors (KerneronSecurity)
  • April 2017: New IoT/Linux Malware Targets DVRs, Forms Botnet (Palo Alto Networks)