Tweet
IMS3000 infected with malware
Thought this would be worth writing up as a heads up.
This IMS3000 is installed on a very large university campus with a serious and proactive IT security team. A few days ago, the user reported slow ingestion, pauses/stutters during playback, and difficulty downloading a "detailed report" log package when I asked for one. When one was finally obtained, the log analysis had multiple "out of memory" errors, which I'd never seen before.
image.png
Very shortly afterwards, the school's IT guys raised the alarm, stating that they saw network traffic suggesting that the IMS3000 was being used for cryptocurrency mining and trying to make contact with a remote site, the address and port of which were known to belong to bad actors.
When I got to the site yesterday, my intention was to download a configuration backup, "nuke" the bootflash drive by connecting it to a PC using a 9-pin Dupont to USB adapter, rewrite a fresh system image to it, reboot the IMS3000, and install the backup.
First alarm bell: the configuration settings .dbk file I downloaded was 55 megabytes (as were all the auto backups that it had done)! As most of you will know, it's almost unheard of for one of these files to be bigger than one megabyte. I scanned it with Windows Defender, which found this:
image.png
The next problem was that using the Dupont to USB adapter, three separate computers simply wouldn't see the bootflash drive (even as a device, let alone any partitions) at all. I tried it on my dual booting laptop, booted into both Windows and Ubuntu, a Windows PC in the booth, and a Mac desktop in the booth. In the end, I had to create an emergency boot USB stick. Needless to say, I reconstructed the configuration settings manually, and did not restore the infected backup.
The IT security people have scanned the external NAS for this IMS3000, and concluded that its operating system is not infected. Based on their analysis of network activity, they believe that the infection most likely happened via an infected DCP shipping drive, and narrowed it down to a time window that implicates one culprit. Annoyingly, that drive has now been returned and is no longer in the booth for analysis.
Dolby are going to ship a new bootflash drive to us, but I would like to be able to figure out why I wasn't able to get in to the infected one using the Dupont to USB adapter.
Again, I thought this worth mentioning, in case anyone is experiencing similar symptoms, or does in the future. The most obvious evidence of the infection is the abnormally large size of the backup file, combined with "out of memory" errors in the log analysis.
This IMS3000 is installed on a very large university campus with a serious and proactive IT security team. A few days ago, the user reported slow ingestion, pauses/stutters during playback, and difficulty downloading a "detailed report" log package when I asked for one. When one was finally obtained, the log analysis had multiple "out of memory" errors, which I'd never seen before.
image.png
Very shortly afterwards, the school's IT guys raised the alarm, stating that they saw network traffic suggesting that the IMS3000 was being used for cryptocurrency mining and trying to make contact with a remote site, the address and port of which were known to belong to bad actors.
When I got to the site yesterday, my intention was to download a configuration backup, "nuke" the bootflash drive by connecting it to a PC using a 9-pin Dupont to USB adapter, rewrite a fresh system image to it, reboot the IMS3000, and install the backup.
First alarm bell: the configuration settings .dbk file I downloaded was 55 megabytes (as were all the auto backups that it had done)! As most of you will know, it's almost unheard of for one of these files to be bigger than one megabyte. I scanned it with Windows Defender, which found this:
image.png
The next problem was that using the Dupont to USB adapter, three separate computers simply wouldn't see the bootflash drive (even as a device, let alone any partitions) at all. I tried it on my dual booting laptop, booted into both Windows and Ubuntu, a Windows PC in the booth, and a Mac desktop in the booth. In the end, I had to create an emergency boot USB stick. Needless to say, I reconstructed the configuration settings manually, and did not restore the infected backup.
The IT security people have scanned the external NAS for this IMS3000, and concluded that its operating system is not infected. Based on their analysis of network activity, they believe that the infection most likely happened via an infected DCP shipping drive, and narrowed it down to a time window that implicates one culprit. Annoyingly, that drive has now been returned and is no longer in the booth for analysis.
Dolby are going to ship a new bootflash drive to us, but I would like to be able to figure out why I wasn't able to get in to the infected one using the Dupont to USB adapter.
Again, I thought this worth mentioning, in case anyone is experiencing similar symptoms, or does in the future. The most obvious evidence of the infection is the abnormally large size of the backup file, combined with "out of memory" errors in the log analysis.
Comment