Persirai, also labeled by Trend Micro as ELF_PERSIRAI.A, targets IP camera models based on various Original Equipment Manufacturer (OEM) products. Using Shodan, the IoT search engine, Trend Micro researchers determined that approximately 120,000 IP cameras are vulnerable to a Persirai infection. Once a device is infected, the hacker can perform a command injection to force the device to connect to a site where it will download and execute a malicious shell script. Once executed, much like Mirai, the malware will delete itself and run only in memory. It also blocks other attackers from targeting and exploiting the infected device.

Infected devices can be directed by C2 servers to spread the infection to other vulnerable devices and perform DDoS attacks against specified targets. Researchers have noted that Persirai can perform a UDP DDoS attack with SSDP packets without spoofing IP addresses. The researchers potentially linked this botnet to Iran as they discovered Persian characters within its code and found that Persirai's C2 servers were using .IR, a top-level domain managed by the Institute for Research in Fundamental Sciences in Iran.

Since Persirai runs in memory, infections can be cleaned by rebooting the device. However, to prevent reinfection, change default device passwords to something lengthy and complex. Also, disable UPnP on routers to prevent vulnerable devices within the network from opening and exposing ports to the internet.

Reporting and Technical Details:

  • May 2017: Persirai: New Internet of Things (IoT) Botnet Targets IP Cameras (Trend Micro)
  • June 2017: Move Over, Mirai: Persirai Now the Top IP Camera Botnet (Dark Reading)
  • June 2017: The Reigning King of IP Camera Botnets and Its Challengers (Trend Micro)


Image Source: Trend Micro