One specific piece of malware is to blame for a good chunk of IP cameras falling victim to Internet of Things (IoT) botnets, researchers said.
The Persirai backdoor targeted over 1,000 IP camera models, and researchers said there had been 120,000 devices vulnerable to this malware, said researchers at Trend Micro.
The malware, which uses a Zero Day vulnerability to spread from one hacked IP camera to another, allows its operators to execute arbitrary code on the targeted device and launch distributed denial-of-service (DDoS) attacks.
Of the 4,400 IP cameras Trend Micro tracks in the United States, over half have been infected with malware. The percentage of infected cameras spotted by the security firm in Japan is nearly 65 percent.
Over 64 percent of the 3,675 compromised devices located in the United States, Japan, Taiwan and South Korea have been infected with Persirai, Trend Micro researchers said.
While that is a large number, Persirai is not the only IoT malware targeting IP cameras. Trend Micro said there are three other malware families: Mirai, DvrHelper and TheMoon.
Mirai hit the scene when researchers discovered it was able to infiltrate a huge number of devices across the globe.
Data from Trend Micro shows of the hijacked devices it is monitoring in the U.S., Japan, Taiwan and Korea, Mirai accounts for more than a quarter of infections.
Another threat targeting IP cameras is TheMoon. This is actually the oldest IoT malware, but its authors have continued to improve it.
DvrHelper and TheMoon account for 6.8 percent and 1.4 percent of the infections seen by Trend Micro.
Researchers said since the number of potential victims for these malware families is limited, the malware ended up designed to “lock the door” behind them after they infect a device.
In one case, Persirai attempts to patch the Zero Day vulnerability it exploits so it can halt other malware from infecting the device. The catch is, though, since the malware resides only in memory and the changes it makes are not persistent, the threat will end up removed and the camera will become vulnerable once again after it restarts.
TheMoon also tries to keep other malware out. It does this by importing specific iptables firewall rules to the device.