Malware in EmpireTech IPC-Color4K-T webplugin.exe

[pc1]

I recently bought this camera from Amazon, new condition and sold by "EmpireTech-Andy".
I setup the camera in an isolated environment, and during setup the camera prompts you to download (from the cameras embedded firmware) the webplugin.exe file to enable viewing imaging in a browser. After download, I ran webplugin.exe through Virustotal.com, and it lit up with malware warnings from 28 different analyses.
The virustotal identifier is 469705fb3df80c89c67927f4d07e0b3a22ce19811272e86789c18e26e35a8add , here's the report: VirusTotal

 

[wittaj]

It is how the "unknown Publisher" or "potential virus" or "compromised" messages are generated (just called virus moving forward in the rest of this post for simplicity).

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus. Some programs look at the total number of users and below a certain number, it is flagged. These specialty type files/programs get false positives all the time.

Now granted we usually don't see it light up VirusTotal with that many, but in the big scheme of things this is a newer camera and most people that buy this camera isolate it from the internet, so these antivirus programs never really get to see it either.

If it concerns you that much, then open up VLC or BI or some other program to see the video instead of within the browser. Just keep in mind depending on the camera, some functionality may be lost as the plugin may allow the browser to show some other features.

 

[TonyR]

What browser are you using?

The last cams I've received from Andy (Dahua-OEM) over the past 2 years and both my 3 year old Amcrest (Dahua-OEM) cams work with a Chromium-based browser with no plug-in.

 

[pc1]

What browser are you using?

The last cams I've received from Andy (Dahua-OEM) over the past 2 years and both my 3 year old Amcrest (Dahua-OEM) cams work with a Chromium-based browser with no plug-in.

The browser is chrome Version 122.0.6261.129 (Official Build) (64-bit), win10 pro current update.
I also have many other cams (Amcrest) that display fine in chrome without a plugin, however this camera has a jittery display in chrome, and it then prompts the user to download and install the webplugin.

 

[pc1]

It is how the "unknown Publisher" or "potential virus" or "compromised" messages are generated (just called virus moving forward in the rest of this post for simplicity).

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus. Some programs look at the total number of users and below a certain number, it is flagged. These specialty type files/programs get false positives all the time.

Now granted we usually don't see it light up VirusTotal with that many, but in the big scheme of things this is a newer camera and most people that buy this camera isolate it from the internet, so these antivirus programs never really get to see it either.

If it concerns you that much, then open up VLC or BI or some other program to see the video instead of within the browser. Just keep in mind depending on the camera, some functionality may be lost as the plugin may allow the browser to show some other features.

Thanks, I understand that some vendors on virustotal are less rigorous and will generate a false positive based on loose heuristics. I've seen other webplugins from various cameras with a few low confidence virustotal hits, and they're fine. This one however lights up way too many vendor analyses with significant assessments. All my cams are on isolated net blocked from internet access(with black-holed gateway and dns). Regardless, the voluminous virustotal hits are a high confidence indicator the camera firmware has been compromised, perhaps in the supply chain, and there's no way I'll trust it on any system, isolated net or not. There's a non-zero probability that it contains additional stealth malware that use other threat vectors to compromise other devices on the isolated net.

Before I return the camera, I might set it up again in an isolated sandbox with a vanilla config, and run wireshark/geoip to evaluate its traffic attempts.

 

[tangent]

Install / extract it in a VM or sandbox and then reupload the actual plugin not the installer to virus total for analysis.

 

[Peeper]

the voluminous virustotal hits are a high confidence indicator the camera firmware has been compromised, perhaps in the supply chain, and there's no way I'll trust it on any system, isolated net or not.

This is a valid concern. If you use software to detect potential viruses, should you pay attention to the warnings and results or ignore them? I previously let hikvision cameras install a plugin and came to regret it. How do you know?

I now face the same issue. Just added the 4MP turret from Empiretech. When trying to configure the AI tripwire feature it wanted the plugin to be installed to enable the feature. My firewall jumped up and warned against doing that.

 

[bigredfish]

I deleted the plugin mentioned from my pc. Camera works fine without it.

I don’t think it’s malware, but it’s a poor implementation of whatever they are trying to do

 

[MarioBoo]

If Kaspersky detects it as a virus then it is highly likely that it contains one. Maybe it got infected by something else on your computer.

 

[looney2ns]

If Kaspersky detects it as a virus then it is highly likely that it contains one. Maybe it got infected by something else on your computer.

Do you feel lucky? Trust Putin?
Kaspersky Lab is a Russian multinational cybersecurity and anti-virus provider headquartered in Moscow, Russia, and operated by a holding company in the United Kingdom. It was founded in 1997 by Eugene Kaspersky, Natalya Kaspersky and Alexey De-Monderik. Wikipedia

 

[ThomasCamFan]

+1. Windows security reported my Color4K-T's plugin is Trojan infected. The Trojan is named "Win32/Wacatac.H!ml". The details say: "This program is dangerous and executes commands from an attacker."

Fortunately the camera's web interface works without it. But it is worrisome that the plugin is suspect.

Sure, could be a false positive. But commercial code writers should test their work to avoid such things from messing with users. Plus, provide an updated plugin if it is detected later by any major antivirus software. Otherwise expect pitch forks and angry mobs.

- Thomas

 

[Peeper]

If you are willing to dismiss warnings about viruses and Trojan malware, why even bother to allow your system to consume time and resources to do the scan you know you will ignore before the results are even in? I don't get that ....

 

[wittaj]

If you are willing to dismiss warnings about viruses and Trojan malware, why even bother to allow your system to consume time and resources to do the scan you know you will ignore before the results are even in? I don't get that ....

Keep in mind what I posted in Post #2:

It is how the "unknown Publisher" or "potential virus" or "compromised" messages are generated (just called virus moving forward in the rest of this post for simplicity).

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus. Some programs look at the total number of users and below a certain number, it is flagged. These specialty type files/programs get false positives all the time.

Usually VirusTotal can confirm it truly isn't a virus when you look at all of the results.

Some of the cameras will work without, but some do still need it. Just another reason we isolate the cameras from the internet and our system.

So you either accept it for the better cameras and mitigate the potential risk or use Ring cameras that bring their own host of issues.

 

[bigredfish]

I'm aware of 3 4 different ones from Dahua gear

webplugin.exe (which is sitting in my download folder for a year)

websocketserver.exe (which the new GUI installed initially a year or two or so ago unknowingly , then I found it and deleted and it hasn't come back. I was the first to post about it here

These two "new" ones are just the past 3-4 days, I'm guessing because I had shut down the NVR and unplugged cameras for a HD addition

The popup ONLY appears if using Edge/, Pale Moon/, or Firefox/. - If I use Edge in IE mode it does not appear

New one my 5442 S3 bullet wants me to download all of a sudden the past 3-4 days - WebSocketServer23450
(does not exist on my PC)


And another new one for my mini PTZ

 

[bigredfish]

So basically my cameras all work fine without them, and they are browser sensitive.

The only one I have'nt tried to delete is the original webplugin.exe

 

[randomcameraguy293]

I recently bought this camera from Amazon, new condition and sold by "EmpireTech-Andy".
I setup the camera in an isolated environment, and during setup the camera prompts you to download (from the cameras embedded firmware) the webplugin.exe file to enable viewing imaging in a browser. After download, I ran webplugin.exe through Virustotal.com, and it lit up with malware warnings from 28 different analyses.
The virustotal identifier is 469705fb3df80c89c67927f4d07e0b3a22ce19811272e86789c18e26e35a8add , here's the report: VirusTotal

Any updates to this before I commit?

 

[Peeper]

It is not a virus, rather it is whatever antivirus you are using has flagged it as a potential virus ... So you either accept it for the better cameras and mitigate the potential risk or use Ring cameras that bring their own host of issues.

But .... to be fair ... just because it might be a "false positive" does not mean you can across-the-board declare it is not a virus. As I wrote above, if you are willing to dismiss such warnings without any further evidence then why even bother to run the scan at all?

I still have Hikvision cameras that were deinstalled because they did bad things on my network. I won't even give them away to anyone for free after seeing what they did. Remembering that takes me back to the days of using wireshark to monitor my network traffic, and finding cameras that self-configured themselves by opening ports (UPNP) on my network and trying to create admin accounts on my Synology server. I allowed them to use the Synology as a network time server to keep all camera time stamps the same, but why did several of the cameras take it a step further and try to gain admin access to the Synology NAS?

I am fairly new to Dahua (Amcrest) and was hoping not to wade back into this particular pool-- but it seems it cannot be avoided. I am not trying to lump Dahua into Hikvisions known problems, just saying I was hoping for a bit more stability. Learning of these virus warnings is ... unsettling ... as long as some doubt remains. It is more difficult to trust Chinese company "B" when Chinese company "A" had known issues with their firmware.

It's a nasty decision to buy a nice AI camera, then face a choice of having to not use advanced features at all, or absorb some risk by installing a plugin you are not 100% confident about.

I wish the manufacturer would provide some conclusive data or information about this. Maybe it is out there but I have not seen it?

There is admittedly much about this I do not know. I do not know any answers other than to say it is a topic of significant concern.

 

[pc1]

If Kaspersky detects it as a virus then it is highly likely that it contains one. Maybe it got infected by something else on your computer.

My isolated testing environment always starts with a clean os image, the chance of something else on the computer as an infection source is highly unlikely.

 

[wittaj]

Yeah we agree with you.

But we keep anti-virus software on the computer to make sure nothing bad gets on it so this file is automatically scanned, so to lump us in to why scan if you will ignore is not an accurate picture either as many other files we wouldn't blanket accept.

But yes until these companies completely rewrite firmware, some of these will just have these plug-ins we gotta deal with.

Many folks here do constant sniffing of what is happening on their network and would point out quickly if any of these were bad actors.

 

[bigredfish]

Did you miss the part where I said I've been running these for over a year and simply tell the camera NO when asked to install the plugin and they work fine?

I also have two of said cameras sitting directly on the LAN over the past 24 hours so I could positively identify them and their network activity. Along with the NVR that holds the scary webplugin.exe.
Malwarebytes, CCleaner, Bitdefender, and Windows all find nothing. Zilch

These are the logs from the hardware firewall appliance showing they aren't talking to the Interwebs

Camera


NVR - sending email alerts is all it does (because I have it set to do this)