The Persirai Botnet

Persirai, the latest botnet family to take advantage of unsecured IOT devices, has overtaken Mirai as the most common webcam botnet, according to new research from the security software company Trend Micro.

Persirai was found on 64% of IP cameras tracked by Trend Micro, more than double the number of the next most prevalent IP camera malware, Mirai. The study also reports that more than one half of US IP cameras tracked by Trend Micro has been infected by malware from one of four camera malware family groups that include Persirai and Mirai. The IP camera infection rates in Japan are even higher.  Mirai was the botnet responsible for the disruptive DDoS attacks on DNS provider Dyn in October 2016 that rendered services like Amazon, Twitter, Netflix, and Paypal unavailable.

Persirai targets over 1,000 IP camera models, looking for open Universal Plug and Play (UPnP) ports. The malware infects vulnerable cameras, connects them to a command and control server, then downloads software that incorporates the camera into a botnet used to launch DDos attacks against chosen targets. Persirai uses known vulnerabilities to get a user’s password file, gain access to the device, deploy command injections, and infect other IP cameras.

According to Trend Micro, “botnets built from IP cameras have been responsible for three of the largest ever DDoS attack by traffic volume to date.” Businesses and home users can protect their devices by disabling UPnP on internet-facing devices and keeping devices updated with the latest security patches.

Selected Articles:

Trend Micro, The Reigning King of IP Camera Botnets and its Challengers

SC Magazine, Persirai is tops among four families of IoT camera botnets

Dark Reading, Move Over, Mirai: Persirai Now the Top IP Camera Botnet, New IoT Botnet Discovered, 120K IP Cameras At Risk of Attack