Homeland Security Ransomware hacked surveillance system??

[kcwf25496 0]

Hello, I'm a computer tech/surveillance installer, and a customer has a computer that was infected with the Dept of Homeland Security type of ransomware virus. I have since removed the virus, but while I was on site at their location, they were showing me the problem. I see these viruses all day every day, so it was nothing really new for me, until, the spot that normally activates a webcam connected to the computer, was actually streaming a surveillance feed from a surveillance system there at their location. First thing I thought was, it's hacking in to the feed through the internet, assuming they had their surveillance system set up for IP viewing, but they don't. There is no connection directly connected or even a shared connection of any type between the surveillance system, and the computer with the virus, except for the fact that they both share electrical power from, I'm assuming, the same outlet.

 

I have never seen anything like this, and I've been doing this a long time. How is it possible that it is pulling a live feed from their surveillance system, when they are two completely separate units that have no ties together what so ever, except the same electricity? I'm really baffled by this and the customer is very upset about this, because this feed needs to be very secure. I have removed the virus so now their priority has turned in to securing their, obviously unsecure, surveillance feed. What can I check on to rule out what is causing this? I'm really blown away by this.. It's really scary to be honest. I know the limits of technology really know no bounds but this is a low end surveillance system, and a standard desktop pc, and I honestly can't fathom how this is even possible.

 

 

Also wanted to add a side note, when it's loading the camera picture, there's at least a 10-20 second delay before it pulls the picture. Two examples... When you turn the computer on, and the virus loads up, there's a black box where the camera feed will eventually be. It stays black/blank for the 10-20 seconds, then it loads the picture that is being displayed on the surveillance system monitor. We played around with it to try to figure it out a little more, and found that if you change the surveillance system to a different camera, the surveillance system of course works as normal and immediately changes the picture, but after the 10-20 seconds on the virus window, it will then change the picture there too, to whatever you changed it to on the surveillance system. There's about a 10-20 second delay. It's just so so weird...

 

 

After an email to NightOwl (the manufacturer), they said

 

"If the DVR has never been connected, then there's literally no way for it to be pulling anything from the DVR. The only thing I can think of is that it's pulling some sort of cached files from your browsing history."

 

I can understand where he's coming from, SO lets ASSUME, just for worst case purposes, that it was networked in the past, because I'm just going off of what the customer said and I can't prove it 100%. So lets assume that the DVR was connected to the internet in the past, and it was IP viewed on this computer that's in question. Let's assume that the virus is pulling browser history/cache and accessing that IP address. That brings us back to the fact that, THERE IS NO ETHERNET CONNECTION TO THE DVR! So even if that were true about it being connected in the past, it's not connected now, so there's no way that theory could even remotely be possible. So we are back at square one, WHERE/HOW is it pulling this feed? Is there some type of radio signal that can be transmitted from DVR to computer that nobody knows about? Is this a major loophole in computer/DVR systems that I'm the first one finding out about?

 

I have asked them to escalate this issue to their top levels of support because this is a huge huge security breach if it's magically pulling the feed out of the air, literally.

 

Just for reference, the DVR model number is Scorpion-168500

 

I don't know if this is the proper thread for this, so if a mod sees fit to move it to a more proper thread, please do so.

 

Someone/anyone please toss out some brainstorm ideas that we can try to go off of to try to narrow this down, and thank you in advance for any help.

 

CF

[dvarapala 0]

Basic Troubleshooting 101: Turn off power to the DVR and all cameras. Are you still seeing this alleged camera feed?

[kcwf25496 0]

Unfortunately this was a rush situation and I had to get the virus removed ASAP as that computer held very important programs that processed pharmacy orders and had to be up and going ASAP so we didn't spend much time with the camera feed situation. Didn't get pictures or video or anything. What we did do is change the channels on the DVR thinking maybe it was only a screen grab of that one channel, but if we changed the channels on the DVR the picture in the webcam feed of the virus did change too, to the active screen that was being watched on the DVR, although it took about 10-20 seconds before it changed on the virus screen. There was a 10-20 second delay of any activity seen on the DVR. Changing DVR channels would change on the virus screen 10-20 seconds later, and also, if someone walked in front of the camera, you would see it live (obviously) on the DVR, but it would then come across the virus webcam location 10-20 seconds later. Does this give you any more info? I wish it would have been a situation that I could stay and troubleshoot that problem but unfortunately we had to take priority over removing the virus first. Even though this issue wasn't the first priority at the time, it is a high priority, because if the footage can be retrieved magically through the air, we need to figure that out.

[kcwf25496 0]

And just a more direct answer to your question, since I can't try that to replicate it, but I have to assume that the feed would turn off? Why would I assume otherwise? It's a live feed, not just a screenshot, it's a live motion moving feed that mimics the live DVR feed, only with a 10-20 second delay.

[MR2 0]

normally when I have a situation like that I take an image of the computers hard drive for later analysis...

 

if that computer was infected with that much spyware I'd be very careful about just removing it and letting them keep going, as you well know most virus's/spyware these days download other virus's & spyware, so given enough time the computer becomes un-usable, there are plenty of good free anti-virus programs around.... Avast... AVG etc

 

as others have said, be VERY sure that its actually a live feed before rushing to any conclusions

 

 

if it is getting a live feed then start looking at how it's getting to that computer... unplug any ethernet or wireless connection that computer has and see what happens, is it possible that at some point this company bought a camera which has wifi capability and maybe someone loaded the camera software onto the computer? the feed might not have been from the DVR itself but direct to a camera.

[kcwf25496 0]

normally when I have a situation like that I take an image of the computers hard drive for later analysis...

 

if that computer was infected with that much spyware I'd be very careful about just removing it and letting them keep going, as you well know most virus's/spyware these days download other virus's & spyware, so given enough time the computer becomes un-usable, there are plenty of good free anti-virus programs around.... Avast... AVG etc

 

as others have said, be VERY sure that its actually a live feed before rushing to any conclusions

 

 

if it is getting a live feed then start looking at how it's getting to that computer... unplug any ethernet or wireless connection that computer has and see what happens, is it possible that at some point this company bought a camera which has wifi capability and maybe someone loaded the camera software onto the computer? the feed might not have been from the DVR itself but direct to a camera.

 

 

It was an extremely rush job, as this was a very vital computer, so I had to get the computer functioning as fast as possible. So just to re-affirm that it was a live feed, when someone would walk in front of it (real time), it would then show up on the virus feed 10-20 seconds later, as all feed from the DVR did. If we changed channels on the DVR, it would then feed on the virus screen whatever was then live on the DVR screen, 10-20 seconds later. I'm not able to replicate any situations or scenarios at this time, since the virus is fixed. What I can tell you is that, I didn't repair the virus infection at that location. I took it to my office, and the feed was not showing on the screen at my shop. I forgot to mention this part earlier, and I know this is an important fact. And no, none of the cameras are wifi, but even if they were, it wasn't feeding from "insert camera number here" only, it was feeding what was active on the DVR screen at the time, not only certain cameras.

 

I have been talking with a few electrical engineers since the manufacturer is basically telling me that I have no clue what I'm talking about and I'm making this up because there is no way that it's possible and I can't provide video/photo proof. The electrical engineers have been telling me it is not only 100% possible, but it is 100% likely that the footage is coming through the electrical circuits of the building. The feed is being picked up by electrical currents in the DVR and cycling through the building's electrical system, back to the computer, providing the live feed. Since the fact that the only two things that the two systems have in common is the fact that they are plugged in to the same outlet, that's all I had to go on, so I started asking around. Not only is this possible, but it's probably likely.

 

Some of you may or may have not heard of this next technology, as it never got *really* popular, but I was brainstorming and though of these things when thinking about this. There are networking devices, that you can wire your whole home with Ethernet ports, without wiring Ethernet cable. You plug this device in a power outlet near your modem, then plug an Ethernet cable from your modem to this device, then you can plug any additional amount of these devices across your home, and plug an Ethernet cable to it, and you have internet from your modem. So when I thought of this, this reminded me that it is 100% possible to transmit data via electrical wires. So now the question is how is the DVR *leaking* this info in to the electrical system, or is that just a side effect of electrical components? And how is the computer/virus smart enough to find this feed coming in the electrical system, and broadcast it? Here's a link of an example of the home networking devices I was talking about : http://www.newegg.com/Product/Product.aspx?Item=N82E16833124500

[MR2 0]

I use Ethernet over power all the time, it works great

 

since you know it's coming from the DVR I'd have then started by putting a surge protected power board on it (the surge protected boards stop EoP working)

 

other than that I'd be having a close look at how everything's connected and you'll probably find the answer

[kcwf25496 0]

I'm going to be going back first of next week to do some more troubleshooting. One thing I'm going to try to do is, take a computer with the same OS as the computer that was infected, and infect it with the same virus myself, and try to replicate the problem, so that I can have proper time to work on and diagnose the issue without having to rush to get the virus off like the original situation.

[ak357 0]

Hmm

on another hand

I would love to have copy of this "virus"

just to play

[kcwf25496 0]

Honestly I'm not even sure where I'm going to find a download of it haha.. I mean who actually goes out and says, HEY WHERE CAN I DOWNLOAD THE FBI VIRUS?? ANYONE?? I'm gonna spend this weekend looking for it and testing it out. I have plenty of computers for sale that I can test with and infect, and just reformat when I'm done.

[MR2 0]

http://botcrawl.com/how-to-remove-the-fbi-moneypak-ransomware-virus-fake-fbi-malware-removal/

 

sounds like that one?

[kcwf25496 0]

That's pretty much the the same one. There are multiple brands/versions/whatever you want to call it. The exact one that was infected was the Department of Homeland Security MoneyPack branded virus, but I think in theory, any of those same viruses that has the webcam picture available will be sufficient, I just want to try to duplicate it as close as possible.

[dvarapala 0]

And just a more direct answer to your question, since I can't try that to replicate it, but I have to assume that the feed would turn off? Why would I assume otherwise?

 

If you power off the DVR and you still see the feed, then it's not coming from the DVR. It may be coming direct from a camera.

If you power off the camera and you still see the feed, then you really have to challenge your assumptions.

 

I have been talking with a few electrical engineers since the manufacturer is basically telling me that I have no clue what I'm talking about and I'm making this up because there is no way that it's possible and I can't provide video/photo proof. The electrical engineers have been telling me it is not only 100% possible, but it is 100% likely that the footage is coming through the electrical circuits of the building. The feed is being picked up by electrical currents in the DVR and cycling through the building's electrical system, back to the computer, providing the live feed.

 

 

I once had a support "engineer" tell me that the reason my system was not powering up was "it must be the power in your cubicle."

 

Time for a little reality check here. Yes, "network over power lines" technology does exist, but it doesn't just happen magically by itself - it requires special equipment at both ends to transmit and receive the data. So unless the infected PC has one of these special receiver boxes attached to it, it is approximately 0% possible and 0% likely that the feed was coming over the power lines.

 

A more rational explanation would be that this virus made use of a recently-discovered DVR exploit and used it to retrieve a live feed from the DVR or directly from one or more of the cameras (if they are IP cams). Of course, we'll never know for sure now.

 

For further reading:

https://community.rapid7.com/community/metasploit/blog/2012/06/05/mays-top-10-most-searched-metasploit-exploit-and-auxiliary-modules

http://www.networkworld.com/community/blog/exploiting-universal-plug-n-play-protocol-insecure-security-cameras-network-printers

[kcwf25496 0]

Considering nothing that you said makes any sense, and goes against everything I have already told you, just no. It is not feeding from any individual cameras, it is feeding whatever the live feed is being shown on the active DVR screen. We have already proved that the feed is coming through the electrical circuits, now the task is figuring how how/why.

 

"A more rational explanation would be that this virus made use of a recently-discovered DVR exploit and used it to retrieve a live feed from the DVR or directly from one or more of the cameras (if they are IP cams). Of course, we'll never know for sure now. "

 

What? How many times do I have to say that nothing related to the surveillance system is connected to the internet? Not the cameras, not the DVR, nothing. Please go back and read my posts because you obviously didn't read any of it. Every single thing you said had already been proven wrong in my previous posts.

[dvarapala 0]

What? How many times do I have to say that nothing related to the surveillance system is connected to the internet?

 

Who said anything about the Internet?

 

We have already proved that the feed is coming through the electrical circuits, now the task is figuring how how/why.

 

It's clear you have your answer. I'm sorry to have wasted your time.

[ssnapier 0]

This was the funniest andmost confusing thing I have read all week, and I got fired by a complete IDIOT this week! " title="Applause" /> " title="Applause" /> " title="Applause" /> " title="Applause" />

[ak357 0]

This was the funniest andmost confusing thing I have read all week, and I got fired by a complete IDIOT this week! " title="Applause" /> " title="Applause" /> " title="Applause" /> " title="Applause" />

+1 for funniest and confusing

why did u get fired ?

[MR2 0]

yeah agreed on the funny ****, but I'm assuming with enough investigation a simple and obvious answer will present itself, not a tin foil hat one lol

 

+1 on how did you get fired?

[ssnapier 0]

I guess fired is the wrong word... mismanagement basically allowed the company to run out of money so they cannot make payroll and they terminated everyone on the spot. I have already had two interviews today and if things go well I will have a new job before my unemployment papers even arrive.

[MR2 0]

Good work sir

[hardwired 0]

If nothing is connected to the Ethernet port on the DVR, the only other rational explanation I can think of is that one of the monitor outputs from the DVR is connected to some other device that is encoding the video into a IP format.

 

To test that theory, you could disconnect the monitor output from the DVR. If you lose the video at that point, you need to chase down what's at the other end of that cable.