Amnesia is yet another IoT botnet – targets global DVRs

As expected, yet another IoT botnet has reared its ugly head. Discovered by Palo Alto Networks’ specialist Unit 42 security researchers, the new variant of the ‘Tsunami’ IoT/Linux botnet exploits an unpatched remote code execution vulnerability in DVR devices that was publicly disclosed over a year ago.

The affected DVRs are made by TVT Digital but branded and distributed by over 70 vendors around the world. Palo Alto Networks estimates the vulnerability affects approximately 227,000 devices around the globe, based on its scans. Consumers in Taiwan, the United States, Israel, Turkey, and India are the most exposed.

Unit 42 has named the variant ‘Amnesia’ and believes it’s the first Linux-based malware which adopts virtual machine evasion techniques to defeat malware analysis sandboxes. This is a technique which is typically used for Windows and Android malware to determine whether it’s running in a VirtualBox, VMware, or QEMU based virtual machine, and if it detects those environments, it wipes the virtualised Linux system by deleting all the files in file system.

Despite the vulnerability being disclosed a year ago, it appears to have been left unpatched according to Unit 42’s research. You can help protect against Amnesia by blocking domains used for its C&C (Command-and-Control) which include:

  • ukranianhorseriding[.]net


  • inversefierceapplied[.]pw

  • 93.174.95[.]38

A successful attack from Amnesia results in full control of the device and can be used by hackers to carry out DDoS (Distributed Denial of Service) attacks similar to the devastating Mirai botnet last year which disrupted DNS provider Dyn and took popular services including Github, Twitter, SaneBox, Reddit, AirBnB, and Heroku offline, and set a new record for the most traffic in a single attack.

Ilia Kolochenko, CEO of web security company, High-Tech Bridge comments:

“Unfortunately, many manufacturers of IoT devices ignore even the very basic aspects of their devices’ security. Millions of devices cannot be updated if a security flaw is found, or do not allow the change of hardcoded passwords or insecure configurations, such as non-HTTPS access to admin panels. They are insecure and dangerous by design.

In the near future, we will certainly see some people using their technical skills to create IoT destroying worms just for fun, glory, or a joke. While we are talking about cheap and non-critical devices, it can be amusing, but what if a medical surgery equipment is damaged? Product liability claims may bring multi-million lawsuits against the negligent manufacturers, hospitals and doctors may also be held partially liable.

The IoT device market should be strictly regulated, precluding careless vendors from bringing their dangerous products to the market. Today it is mainly about joking. Tomorrow, it will be about people’s lives. Governments should act quickly adapting the law and regulations.”

What are your thoughts on the latest IoT botnet? Let us know in the comments. in hearing industry leaders discuss subjects like this and sharing their IoT use-cases? Attend the IoT Tech Expo World Series events with upcoming shows in Silicon Valley, London and Amsterdam to learn more.

The show is co-located with the AI & Big Data Expo, Cyber Security & Cloud Expo and Blockchain Expo so you can explore the entire ecosystem in one place.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.