2017-关于《绿盟科技网络视频监控系统安全》的研究报告

2016 绿盟科技网络视频监控系统安全报告绿盟科技 DDoS 攻防研究实验室 © 2016 绿盟科技关于绿盟科技北京神州绿盟信息安全科技股份有限公司（简称绿盟科技）成立于 2000 年 4 月，总部位于北京。在国内外设有 30 多个分支机构，为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户，提供具有核心竞争力的安全产品及解决方案，帮助客户实现业务的安全顺畅运行。基于多年的安全攻防研究，绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域，为客户提供入侵检测 / 防护、抗拒绝服务攻击、远程安全评估以及 Web 安全防护等产品以及专业安全服务。北京神州绿盟信息安全科技股份有限公司于 2014 年 1 月 29 日起在深圳证券交易所创业板上市交易。股票简称：绿盟科技股票代码：300369 目录 2016 绿盟科技网络视频监控系统安全报告一 . 背景 ·································································································································· 1 二 . 全球及中国存安全隐患的网络视频监控系统分布情况 ··············································· 4 2.1 全球存安全隐患的网络视频监控系统分布情况 ························································································· 5 2.2 中国地区存安全隐患的网络视频监控系统分布情况 ················································································ 6 2.3 特征分析 ····································································································································································· 8 三 . 网络视频监控系统的高危漏洞 ······················································································· 9 3.1 弱口令······································································································································································· 10 3.2 后门 ··········································································································································································· 12 3.3 远程代码可执行漏洞 ·········································································································································· 13 四 . 基于网络视频监控系统的僵尸网络 ·············································································14 4.1 LizardStresser botnets ································································································································· 15 4.2 Mirai botnets ······················································································································································ 19 4.3 Luabot botnets ················································································································································ 25 4.4 恶意程序感染方式总结······································································································································ 29 五 . 根源及措施分析·············································································································33 5.1 根源分析 ·································································································································································· 33 5.2 安全措施 ·································································································································································· 34 六 . 总结 ································································································································36 参考资料 ································································································································37 A 《2016 绿盟科技网络视频监控系统安全报告》由如下部门联合撰写绿盟科技 DDoS 攻防研究实验室绿盟威胁情报中心（NTI）绿盟科技威胁响应中心绿盟科技持续关注 DDoS 攻击及相关事件的进展 , 如需了解更多，请联系：特别声明为避免客户数据泄露，所有数据在进行分析前都已经匿名化处理，不会在中间环节出现泄露，任何与客户有关的具体信息，均不会出现在本报告中。版权声明本文中出现的任何文字叙述、文档格式、插图、照片、方法、过程等内容，除另有特别注明，版权均属绿盟科技所有，受到有关产权及版权法保护。任何个人、机构未经绿盟科技的书面授权许可，不得以任何方式复制或引用本文的任何片断。一 . 背景物联网（IoT，Internet of Things）蓬勃发展的同时，基于 IoT 设备的安全问题越来越多，来自 IoT 的巨大威胁也引起了国内外众多安全从业人员的关注，尤其是占据了 IoT 大半的网络视频监控系统。（本文将网络视频监控器、网络摄像头、数字视频录像机等统称为网络视频监控系统）在国外，最近不断爆出有黑客组织利用大量网络视频监控系统发起大规模 DDoS 攻击。2015 年 10 月，Incapsula 公司在其网络中发现一个由 900 个网络摄像头发起的 DDoS 攻击，其最高攻击速率达 20,000 HTTP RPS（Requests Per Second）。今年 6 月，Sucuri 发现一起针对其客户的 DDoS 攻击，最高速率达 50,000 HTTP RPS，峰值达 400Gbps 的 DDoS 攻击，这起攻击是由约 25513 个独立的网络摄像头组成的僵尸网络发起的。到 9 月 19 日，OVH 的 CTO Octave Klaba 在 Twitter 上称他们遭受了一起由 145,607 个网络视频监控设备发起的峰值最高达 800Gbps 的 DDoS 攻击。预计该僵尸网络有能力发动峰值超过 1.5Tbps 的 DDoS 攻击。紧接着 9 月 20 日，专门从事曝光网络犯罪的网站 KrebsonSecurity 就遭受了峰值达 620Gbps 的 DDoS 攻击。Klaba 推测，针对 Krebs 和 OVH 的攻击很可能 [1] 来自于同一个 Mirai 僵尸网络。 [2] 2016 绿盟科技网络视频监控系统安全报告图 1.1 OVH 遭受近 1Tbps 的 DDoS 攻击 2 2016 绿盟科技网络视频监控系统安全报告实际上，我国的网络视频监控系统的安全问题也不容乐观。CNCERT 发布的《2015 年我国互联网网络安全态势综述》中提到 [3] ，“2015 年，CNVD 通报了多款智能监控设备、路由器等存在被远程控制高危风险漏洞的安全事件。2015 年初，政府机关和公共行业广泛使用的某型号监控设备被曝存在高危漏洞，并已被利用植入恶意代码，导致部分设备被远程控制并可对外发动网络攻击。CNCERT 核查发现，我国主要厂商生产的同类型设备，普遍存在类似安全问题，亟需进行大范围整改。”而