How is this bin file supposed to be applied to a camera ?
Well. you run it. What happens then is: the file decrypts itself using syscalls, then does a series of checks to make sure it is not being debugged. When all checks pass, it decrypts parts of itself again, drops busybox, talks to *.ipc.net, submits camera serial, model id, and bootparams ioctl data, gets a "license" file, decrypts the file (using camera serial number and datecode as key), which turns it into script, RUNS THAT SCRIPT, checksums a whole lot of files, creates a backdoor account (root:ERI2doRibqoC.:0:0:root:/root/:/bin/sh), starts dropbear on port 55555, makes a few changes, unpacks additional languages, and sends an email to <camera model+serial+date>@ipc.net using included busybox with sendmail support. Not exactly in that order.
The patcher itself is a simple kernel module that intercepts ioctl. 99% of time the guy spent on wrapping all that in crypto.
ipc.net appears to be owned by some domain squatter, and the only email address associated with it is
rob@selvi.ipc.net. There are a couple of dudes named Rob Selvi on linked whose backgrounds make them good candidates to attribute the hack to. One of them happens to be an executive at Sonicwall. I hope it is the Sonicwall guy. Rob -- I know what you do for fun!!! Timestamps in the app use DD-MM-YY date format, so the guy is likely not from the US.
