kcwf25496

Hello, I'm a computer tech/surveillance installer, and a customer has a computer that was infected with the Dept of Homeland Security type of ransomware virus. I have since removed the virus, but while I was on site at their location, they were showing me the problem. I see these viruses all day every day, so it was nothing really new for me, until, the spot that normally activates a webcam connected to the computer, was actually streaming a surveillance feed from a surveillance system there at their location. First thing I thought was, it's hacking in to the feed through the internet, assuming they had their surveillance system set up for IP viewing, but they don't. There is no connection directly connected or even a shared connection of any type between the surveillance system, and the computer with the virus, except for the fact that they both share electrical power from, I'm assuming, the same outlet. I have never seen anything like this, and I've been doing this a long time. How is it possible that it is pulling a live feed from their surveillance system, when they are two completely separate units that have no ties together what so ever, except the same electricity? I'm really baffled by this and the customer is very upset about this, because this feed needs to be very secure. I have removed the virus so now their priority has turned in to securing their, obviously unsecure, surveillance feed. What can I check on to rule out what is causing this? I'm really blown away by this.. It's really scary to be honest. I know the limits of technology really know no bounds but this is a low end surveillance system, and a standard desktop pc, and I honestly can't fathom how this is even possible. Also wanted to add a side note, when it's loading the camera picture, there's at least a 10-20 second delay before it pulls the picture. Two examples... When you turn the computer on, and the virus loads up, there's a black box where the camera feed will eventually be. It stays black/blank for the 10-20 seconds, then it loads the picture that is being displayed on the surveillance system monitor. We played around with it to try to figure it out a little more, and found that if you change the surveillance system to a different camera, the surveillance system of course works as normal and immediately changes the picture, but after the 10-20 seconds on the virus window, it will then change the picture there too, to whatever you changed it to on the surveillance system. There's about a 10-20 second delay. It's just so so weird... After an email to NightOwl (the manufacturer), they said "If the DVR has never been connected, then there's literally no way for it to be pulling anything from the DVR. The only thing I can think of is that it's pulling some sort of cached files from your browsing history." I can understand where he's coming from, SO lets ASSUME, just for worst case purposes, that it was networked in the past, because I'm just going off of what the customer said and I can't prove it 100%. So lets assume that the DVR was connected to the internet in the past, and it was IP viewed on this computer that's in question. Let's assume that the virus is pulling browser history/cache and accessing that IP address. That brings us back to the fact that, THERE IS NO ETHERNET CONNECTION TO THE DVR! So even if that were true about it being connected in the past, it's not connected now, so there's no way that theory could even remotely be possible. So we are back at square one, WHERE/HOW is it pulling this feed? Is there some type of radio signal that can be transmitted from DVR to computer that nobody knows about? Is this a major loophole in computer/DVR systems that I'm the first one finding out about? I have asked them to escalate this issue to their top levels of support because this is a huge huge security breach if it's magically pulling the feed out of the air, literally. Just for reference, the DVR model number is Scorpion-168500 I don't know if this is the proper thread for this, so if a mod sees fit to move it to a more proper thread, please do so. Someone/anyone please toss out some brainstorm ideas that we can try to go off of to try to narrow this down, and thank you in advance for any help. CF

Considering nothing that you said makes any sense, and goes against everything I have already told you, just no. It is not feeding from any individual cameras, it is feeding whatever the live feed is being shown on the active DVR screen. We have already proved that the feed is coming through the electrical circuits, now the task is figuring how how/why. "A more rational explanation would be that this virus made use of a recently-discovered DVR exploit and used it to retrieve a live feed from the DVR or directly from one or more of the cameras (if they are IP cams). Of course, we'll never know for sure now. " What? How many times do I have to say that nothing related to the surveillance system is connected to the internet? Not the cameras, not the DVR, nothing. Please go back and read my posts because you obviously didn't read any of it. Every single thing you said had already been proven wrong in my previous posts.

That's pretty much the the same one. There are multiple brands/versions/whatever you want to call it. The exact one that was infected was the Department of Homeland Security MoneyPack branded virus, but I think in theory, any of those same viruses that has the webcam picture available will be sufficient, I just want to try to duplicate it as close as possible.

Honestly I'm not even sure where I'm going to find a download of it haha.. I mean who actually goes out and says, HEY WHERE CAN I DOWNLOAD THE FBI VIRUS?? ANYONE?? I'm gonna spend this weekend looking for it and testing it out. I have plenty of computers for sale that I can test with and infect, and just reformat when I'm done.

I'm going to be going back first of next week to do some more troubleshooting. One thing I'm going to try to do is, take a computer with the same OS as the computer that was infected, and infect it with the same virus myself, and try to replicate the problem, so that I can have proper time to work on and diagnose the issue without having to rush to get the virus off like the original situation.

It was an extremely rush job, as this was a very vital computer, so I had to get the computer functioning as fast as possible. So just to re-affirm that it was a live feed, when someone would walk in front of it (real time), it would then show up on the virus feed 10-20 seconds later, as all feed from the DVR did. If we changed channels on the DVR, it would then feed on the virus screen whatever was then live on the DVR screen, 10-20 seconds later. I'm not able to replicate any situations or scenarios at this time, since the virus is fixed. What I can tell you is that, I didn't repair the virus infection at that location. I took it to my office, and the feed was not showing on the screen at my shop. I forgot to mention this part earlier, and I know this is an important fact. And no, none of the cameras are wifi, but even if they were, it wasn't feeding from "insert camera number here" only, it was feeding what was active on the DVR screen at the time, not only certain cameras. I have been talking with a few electrical engineers since the manufacturer is basically telling me that I have no clue what I'm talking about and I'm making this up because there is no way that it's possible and I can't provide video/photo proof. The electrical engineers have been telling me it is not only 100% possible, but it is 100% likely that the footage is coming through the electrical circuits of the building. The feed is being picked up by electrical currents in the DVR and cycling through the building's electrical system, back to the computer, providing the live feed. Since the fact that the only two things that the two systems have in common is the fact that they are plugged in to the same outlet, that's all I had to go on, so I started asking around. Not only is this possible, but it's probably likely. Some of you may or may have not heard of this next technology, as it never got *really* popular, but I was brainstorming and though of these things when thinking about this. There are networking devices, that you can wire your whole home with Ethernet ports, without wiring Ethernet cable. You plug this device in a power outlet near your modem, then plug an Ethernet cable from your modem to this device, then you can plug any additional amount of these devices across your home, and plug an Ethernet cable to it, and you have internet from your modem. So when I thought of this, this reminded me that it is 100% possible to transmit data via electrical wires. So now the question is how is the DVR *leaking* this info in to the electrical system, or is that just a side effect of electrical components? And how is the computer/virus smart enough to find this feed coming in the electrical system, and broadcast it? Here's a link of an example of the home networking devices I was talking about : http://www.newegg.com/Product/Product.aspx?Item=N82E16833124500

And just a more direct answer to your question, since I can't try that to replicate it, but I have to assume that the feed would turn off? Why would I assume otherwise? It's a live feed, not just a screenshot, it's a live motion moving feed that mimics the live DVR feed, only with a 10-20 second delay.

Unfortunately this was a rush situation and I had to get the virus removed ASAP as that computer held very important programs that processed pharmacy orders and had to be up and going ASAP so we didn't spend much time with the camera feed situation. Didn't get pictures or video or anything. What we did do is change the channels on the DVR thinking maybe it was only a screen grab of that one channel, but if we changed the channels on the DVR the picture in the webcam feed of the virus did change too, to the active screen that was being watched on the DVR, although it took about 10-20 seconds before it changed on the virus screen. There was a 10-20 second delay of any activity seen on the DVR. Changing DVR channels would change on the virus screen 10-20 seconds later, and also, if someone walked in front of the camera, you would see it live (obviously) on the DVR, but it would then come across the virus webcam location 10-20 seconds later. Does this give you any more info? I wish it would have been a situation that I could stay and troubleshoot that problem but unfortunately we had to take priority over removing the virus first. Even though this issue wasn't the first priority at the time, it is a high priority, because if the footage can be retrieved magically through the air, we need to figure that out.

Hello all. I'm new here and I've got a few questions that if any one could give some input on, I'd greatly appreciate it. I've read quite a few other posts hoping to find some answers but haven't been through all the thousands of posts to find a specific answer so please be nice if this has been asked before, because more than likely it has. I have done some surveillance system installs on the side now for a couple years, mostly for people that I know that needed them at their business etc.. Well it's taken off a good bit more than ever expected and I'm having a lot of different needs from customers than the "standard" or "typical" type of install that I've done. Typically all that I've done the past couple years is just 4-8-16 channel DVR setups with wired BNC/DC cable to each camera. And of course I've set up IP viewing on their phones and computers so I'm familiar with all of that. Questions that I'm coming across now are such as PTZ options for cameras, and also, larger number than 16ch on a single system. I've seen the occasional 32ch system floating around, but I've been noticing a lot more of the "NVR" type setups coming up in my searchings. Now I've never done anything like a NVR setup and I'm not even sure that I fully understand what it is/does or can do. Some examples of what I'm wondering is available are, customer needs 20 cameras but doesn't want to buy a 16ch system + whatever else system, they want it on one system. And also with the option to add more cameras on that system down the road. They need recording function but it doesn't have to be some massive multi terrabyte setup. Also just need to IP view on their computer / phone. Sure I could just go with that 32ch bnc dvr system but I'm just curious as to what the other options are because from what I'm reading, there are other options, I just don't think I'm understanding it properly or either these manufacturer's aren't really being that informative about what they're selling. The other main question I have is about PTZ cameras. I've always just used standard stationary BNC cameras. What all do I need to know about PTZ cameras as far as installation / connection hookups / specific DVR type requirements etc...? Also I don't even know what to look for / how to shop for PTZ cameras, other than the obvious, just searching for PTZ cameras. Can PTZ cameras work on any DVR system? I was told that they use a different type of connection but wasn't given much detail so I'm really in the dark about PTZ all together. Any information about any of the above mentioned stuff would be awesome and thanks in advance. Casey

Also forgot to mention, wireless cameras are not really an option cameras at this point for this particular question in mind. It will have to be hard wired. As far as the question about the network camera setup, would they physically be wired with ethernet cable and is power over ethernet an option, or would each individual camera have to have a power source plugged in at the spot of the camera, or what? Thanks again