{"id":2039,"date":"2016-09-05T21:53:03","date_gmt":"2016-09-05T21:53:03","guid":{"rendered":"https:\/\/evosec.eu\/?p=2039"},"modified":"2016-10-11T18:46:01","modified_gmt":"2016-10-11T18:46:01","slug":"new-iot-malware","status":"publish","type":"post","link":"https:\/\/evosec.eu\/ru\/new-iot-malware\/","title":{"rendered":"New IoT Malware? Anime\/Kami"},"content":{"rendered":"<p>During August 2016, we came across several devices that were infected with a new malware that we couldn&#8217;t identify &#8212; for now. It resides in a read-write partition of some CCTV devices (most partitions on these devices are read-only), in a folder called <strong>.anime<\/strong> under the name <strong>.kami<\/strong>. It seems the attack used hard-coded telnet credentials and then downloaded the now-unknown malware(or maybe created the file via &#171;echo&#187; commands).  <\/p>\n<p><a href=\"\/wp-content\/uploads\/2016\/09\/CCTV1.png\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1.png\" alt=\"CCTV Malware\" width=\"1920\" height=\"1040\" class=\"aligncenter size-full wp-image-2040\" srcset=\"https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1.png 1920w, https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1-300x163.png 300w, https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1-768x416.png 768w, https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1-1024x555.png 1024w, https:\/\/evosec.eu\/wp-content\/uploads\/2016\/09\/CCTV1-800x433.png 800w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><\/a><\/p>\n<p>We failed to identify it, since it&#8217;s truncated &#8212; the final file seems to be bigger than the partition it was created on (mounted as \/mnt\/mtd). <\/p>\n<blockquote>\n<p>.kami: ERROR: ELF 32-bit LSB executable, Renesas SH, version 1 (SYSV), statically linkederror reading (Invalid argument)<\/p>\n<\/blockquote>\n<p>The MD5 of it:<\/p>\n<blockquote>\n<p>cdd887f2112b3d87b96154ca492368a8  .kami<\/p>\n<\/blockquote>\n<p>For now, all we can recommend is to move devices from DMZ to proper port-forwarding and, where needed, install a router as a firewall in front of them.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>During August 2016, we came across several devices that were infected with a new malware that we couldn&#8217;t identify &#8212; for now. It resides in a read-write partition of some CCTV devices (most partitions on these devices are read-only), in a folder called .anime under the name .kami. It seems &hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"image","meta":{"footnotes":""},"categories":[935,932],"tags":[933,67,74,934,60],"class_list":["post-2039","post","type-post","status-publish","format-image","hentry","category-iot-devicessecurity","category-iot-security","tag-anime","tag-cctv","tag-iot","tag-kami","tag-malware","post_format-post-format-image"],"translation":{"provider":"WPGlobus","version":"3.0.2","language":"ru","enabled_languages":["en","da","de","es","fi","fr","it","hu","nl","no","pl","pt","ru","sv"],"languages":{"en":{"title":true,"content":true,"excerpt":false},"da":{"title":false,"content":false,"excerpt":false},"de":{"title":false,"content":false,"excerpt":false},"es":{"title":false,"content":false,"excerpt":false},"fi":{"title":false,"content":false,"excerpt":false},"fr":{"title":false,"content":false,"excerpt":false},"it":{"title":false,"content":false,"excerpt":false},"hu":{"title":false,"content":false,"excerpt":false},"nl":{"title":false,"content":false,"excerpt":false},"no":{"title":false,"content":false,"excerpt":false},"pl":{"title":false,"content":false,"excerpt":false},"pt":{"title":false,"content":false,"excerpt":false},"ru":{"title":false,"content":false,"excerpt":false},"sv":{"title":false,"content":false,"excerpt":false}}},"_links":{"self":[{"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/posts\/2039","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/comments?post=2039"}],"version-history":[{"count":1,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/posts\/2039\/revisions"}],"predecessor-version":[{"id":11122,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/posts\/2039\/revisions\/11122"}],"wp:attachment":[{"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/media?parent=2039"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/categories?post=2039"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/evosec.eu\/ru\/wp-json\/wp\/v2\/tags?post=2039"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}