Researchers at Incapsula have discovered a botnet that runs on compromised CCTV cameras. There are hundreds of millions, if not billions, of these in the field, and like many Internet of Things devices, their security is an afterthought and not fit for purpose.
The botnet that Incapsula discovered was being used to direct HTTP flood attacks at 20,000 requests per second, originating from 900 CCTVs all over Earth. The researchers have identified another botnet running on network attached storage devices.
While the botnets running on these devices don't harm their owners very much (apart from using up some of their bandwidth), the fact that cameras aimed at potentially sensitive locations and drives holding sensitive data are being compromised at scale by Internet-based attackers suggests some ways in which the owners of these devices could also be victimized by their lack of security.
All compromised devices were running embedded Linux with BusyBox—a package of striped-down common Unix utilities bundled into a small executable, designed for systems with limited resources.
The malware we found inside them was an ELF binary for ARM named (.btce) a variant of the ELF_BASHLITE (a.k.a. Lightaidra and GayFgt) malware that scans for network devices running on BusyBox, looking for open Telnet/SSH services that are susceptible to brute force dictionary attacks.
CCTV Botnet In Our Own Back Yard [Ofer Gayer, Or Wilder, Igal Zeifman/Incapsula]