Security Architecture, Application security, Application security, Endpoint/Device Security, IoT, Network Security, Network Security, Security Strategy, Plan, Budget, Vulnerability Management, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

Trend Micro details new IoT DDoS threat

Trend Micro is reporting a new threat to Linux-based Internet of Things (IoT) devices that is specifically able to exploit a specific vulnerability in surveillance cameras made by AVTech.

The threat is called ELF_IMEIJ.A and was originally uncovered by Search-Lab in October 2016 and reported to AVTech. Trend Micro said Search-Labs did not received a response regarding the issue. Much like Mirai, ELF_IMEIJ.A the malware searches for unprotected IoT devices, in this case a camera.

The attacker uses cgi-bin scripts to randomly ping IP addresses searching for a device that is vulnerable.

“Specifically, it exploits CloudSetup.cgi, the reported AVTech CGI Directory vulnerability, to execute a command injection that triggers the malware download. The attacker tricks the device into downloading the malicious file and changes the file's permissions to execute it locally,” Trend wrote.

Search-Labs noted that every user password for the AVTech products is stored in clear text and that an attacker with access to the device itself can easily obtain the full list of passwords.

“By exploiting command injection or authentication bypass issues, the clear text admin password can be retrieved,” Search-Labs initial report on the malware stated.

The points of entry area IP cameras, CCTV equipment and network recorders that support AVTech's cloud environment. Once installed the malware is able to execute shell commands, initiate DDoS attacks (like Mirai) and use the infected devices to spread the malware to others on the network.

Trend noted the IP addresses, all registered in South Korea, from which the malware can be downloaded, are:

There are three IP addresses where ELF_IMEIJ.A can be downloaded, and they are hosted on two separate ISPs.

·         xxp://

·         xxp://

·         xxp://

Search-Labs reported that AVTech has 130,000 devices connected to the intenet.

AVTech was contacted by SC Media, but did not respond.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.