Malware in EmpireTech IPC-Color4K-T webplugin.exe

[Peeper]

Regarding:

"Many folks here do constant sniffing of what is happening on their network and would point out quickly if any of these were bad actors."

Is it fair to say that PC1 did exactly that in the first post of this thread? Pointed out legitimate concerns and got a response to dismiss the concerns?

In post 5, he backed his concerns with significant knowledge about the subject. In post 18, then described an isolated test environment. So PC1 seems as a quality contributor. At least it sounds legit?

Then Thomas writes (post 11) his Windows security also reports a Trojan infection.

The first camera I purchased wanted to run the plugin. I did not allow it. So the tripwire "AI feature" does not work. I have only motion detect. When I purchased I had no idea I would be stuck in the middle of deciding between accepting a plugin "they" say has malware, versus owning a camera with features I cannot use.

I could reinstall wireshark and do extensive testing as I did in response to the Hikvision compromised firmware. (Which did discover malware.) I really, really don't want to have to repeat that. It consumed a great deal of time. I only did that because of the quantity of Hikvision cameras. In this case, I have only one of these cameras so circumstances are different. There are other camera choices; Ring is not one of them. But I have not yet decided on anything-- other than wanting to learn more.

I repeat again it is not fair to lump one company in to the problems of another. But I would very much like to see more information about this.

I repeat: "I do not know any answers other than to say it is a topic of significant concern."

 

[pc1]

fyi, I've separately pinged Empire Tech and the amazon seller, asking them to comment on the situation. If/when they respond I'll post it in this thread.

 

[wittaj]

fyi, I've separately pinged Empire Tech and the amazon seller, asking them to comment on the situation. If/when they respond I'll post it in this thread.

EmpireTech and the amazon seller EmpireTech-Andy that you referenced in the first post are one in the same person.

 

[wittaj]

Regarding:

"Many folks here do constant sniffing of what is happening on their network and would point out quickly if any of these were bad actors."

Is it fair to say that PC1 did exactly that in the first post of this thread? Pointed out legitimate concerns and got a response to dismiss the concerns?

In post 5, he backed his concerns with significant knowledge about the subject. In post 18, then described an isolated test environment. So PC1 seems as a quality contributor. At least it sounds legit?

Then Thomas writes (post 11) his Windows security also reports a Trojan infection.

The first camera I purchased wanted to run the plugin. I did not allow it. So the tripwire "AI feature" does not work. I have only motion detect. When I purchased I had no idea I would be stuck in the middle of deciding between accepting a plugin "they" say has malware, versus owning a camera with features I cannot use.

I could reinstall wireshark and do extensive testing as I did in response to the Hikvision compromised firmware. (Which did discover malware.) I really, really don't want to have to repeat that. It consumed a great deal of time. I only did that because of the quantity of Hikvision cameras. In this case, I have only one of these cameras so circumstances are different. There are other camera choices; Ring is not one of them. But I have not yet decided on anything-- other than wanting to learn more.

I repeat again it is not fair to lump one company in to the problems of another. But I would very much like to see more information about this.

I repeat: "I do not know any answers other than to say it is a topic of significant concern."

@pc1 has not reported back the findings in a completely isolated system and doing sniffing to see if any funny behavior is going on. I am under the impression he hasn't ran the .exe file yet.

Regardless, in your first situation with Hikvision, I suspect that would have occurred whether you ran the plug-in or not. I know there is a thread here from many years ago where someone showed how much the Hikvision was trying crap like that, plug in or not.

Keep in mind that even if the camera doesn't have a downloaded plug-in, there is no guarantee that something shady isn't in the firmware that your anti-virus wouldn't catch. The camera could be trying to phone home, could be trying to gain admin access to your VMS or whatever else one can dream of. This would only be found by sniffing with something like wireshark.

Security camera firmware is notorious for having poor security as it relates to the internet. Ironic isn't it.

There are too many backdoor exploits and other stuff going on, which is why, even if the plug-in passed every virus software program, folks are still going to isolate their cameras from the internet and the rest of their system the best they can.

It comes down to IE was the most popular browser when these cameras started to be made, so they centered the firmware around one particular browser and it needed a plug-in and they got lazy and never updated the internals of the program to play nice with other browsers as more became available and IE started to fade.

Back when the firmware was written, it was probably a pain to get it to play nice with every different browser, so they went with the most popular one.

They haven't had a need to address this because their intended market (hint it isn't us) is mainly businesses where they have enough light they can stay in default settings so they don't have a need to login to the camera via browser and thus don't need to install the plug-in. It is us homeowners that push these to the limits and actually change settings.

Good luck finding a good camera that isn't centered around explorer or begging for this download lol. What other brands are you considering?

Yeah even in 2024, brand new cameras coming off the line are still "requiring" Internet Explorer and the plug-in in many instances. Some cameras are better than others, but IE is the standard if you don't want problems.

Doesn't mean it sometimes works in other browsers, but most here will use Internet Explorer (not edge with IE tab) to ensure they see and get what they expect. Some have had good experience with Pale Moon browser.

Unfortunately Hikvision and Dahua make many of the other brands out there, so you would potentially have the same experiences. Heck even 5 times the cost Axis still recommends Internet Explorer for many of their cameras LOL.




Those that can get "under the hood" in the firmware with the newest Dahua firmware has shown that while the camera can work with another browser without the plug-in, there are some settings behind the scenes that only take if using IE with the plug-in.


So it comes down to do you want cameras capable of capturing low light video and clean images? If so, there are not many options out there.

So like anything in life, there is always a risk. As it relates to these cameras, you try to mitigate that risk as much as possible. Set up the cameras in an isolated sandbox, a computer not connected to the internet, VLAN or dual NIC, wireshark the crap out of your network looking for funny business, etc.

 

[smiticans]

@pc1

Unfortunately Hikvision and Dahua make many of the other brands out there, so you would potentially have the same experiences. Heck even 5 times the cost Axis still recommends Internet Explorer for many of their cameras LOL.

View attachment 191543


Those that can get "under the hood" in the firmware with the newest Dahua firmware has shown that while the camera can work with another browser without the plug-in, there are some settings behind the scenes that only take if using IE with the plug-in.

I've used a handful of Axis cameras, Axis speakers and Axis Modules. I have never had to use internet explorer with any of those devices. All of them worked properly using Google Chrome without having to download any type of plugin or extension. I also recently attended the Axis Certified Professional class (3 days with an exam at the end) and at no time did we ever use internet explorer or was internet explorer mentioned in the class as being the recommended browser. Axis is very big on cyber security so I find it hard to believe they would recommend internet explorer for any of their devices. However, some of their older devices that are end of life and no longer supported may need IE but that I can't confirm as I don't have access to them.

 

[wittaj]

I've used a handful of Axis cameras, Axis speakers and Axis Modules. I have never had to use internet explorer with any of those devices. All of them worked properly using Google Chrome without having to download any type of plugin or extension. I also recently attended the Axis Certified Professional class (3 days with an exam at the end) and at no time did we ever use internet explorer or was internet explorer mentioned in the class as being the recommended browser. Axis is very big on cyber security so I find it hard to believe they would recommend internet explorer for any of their devices. However, some of their older devices that are end of life and no longer supported may need IE but that I can't confirm as I don't have access to them.

That is why I said "for many of their cameras"...

I didn't say it was absolute for EVERY camera, but someone may get their hands on an Axis camera from ebay or maybe even some specialty camera that still requires it.

Regardless, this is the link of the Axis website where I pulled the info and the latest release is 2021 for the download. Axis typically guarantees updates on their firmware thru the warranty period, which is for 5 years, so they could still have a cameras that are EOL but they are still supporting. So either it is still a thing for some cameras or they have an outdated website...

AXIS Media Control | Axis Communications

Decode H.264 video in Internet Explorer

www.axis.com

And just because Axis is very big on cyber security doesn't mean they can't be hacked...which is why we recommend isolating the cameras from the internet and mitigate as much risk as we can regardless of who makes the camera.

Did Axis got Hacked?

Axis.com has been down since last week. Another ransomware attack? https://status.axis.com

ipcamtalk.com

 

[Peeper]

But we keep anti-virus software on the computer to make sure nothing bad gets on it so this file is automatically scanned, so to lump us in to why scan if you will ignore is not an accurate picture either as many other files we wouldn't blanket accept.

I am new here, so there is much I do not know. Such as: I do not understand who "us" is? Are you affiliated with Dahua?

I was pleased to try a camera. Andy shipped it quickly. So far so good! I have had high hopes for it which are somewhat met but somewhat compromised. (I presented the images with improved resolution.) I also need other models such as PTZ. This is why the malware reports are so concerning. I can live with one camera that is underperforming. But I don't want to add more with questions not resolved.

I accept that the underperformance is because of my caution and my decision not to install the plugin. I made a choice. So that decision is on me. To be fair, I had no idea such a decision would come at me following a purchase. Plugin+malwarereports=whoa! And so I am trying to gather more information.

I believe it is in the best interest of all, sellers and customers, that more information on this issue comes out.

I hope there is a good answer and/or resolution to the reported issues.

 

[wittaj]

I am new here, so there is much I do not know. Such as: I do not understand who "us" is? Are you affiliated with Dahua?

I was pleased to try a camera. Andy shipped it quickly. So far so good! I have had high hopes for it which are somewhat met but somewhat compromised. (I presented the images with improved resolution.) I also need other models such as PTZ. This is why the malware reports are so concerning. I can live with one camera that is underperforming. But I don't want to add more with questions not resolved.

I accept that the underperformance is because of my caution and my decision not to install the plugin. I made a choice. So that decision is on me. To be fair, I had no idea such a decision would come at me following a purchase. Plugin+malwarereports=whoa! And so I am trying to gather more information.

I believe it is in the best interest of all, sellers and customers, that more information on this issue comes out.

I hope there is a good answer and/or resolution to the reported issues.

No, I am not affiliated with Dahua.

You mentioned earlier "if you are willing to dismiss such warnings without any further evidence then why even bother to run the scan at all?" and I was responding specifically to that statement.

So as it relates to that sentence of mine that you quoted "But we keep anti-virus software on the computer to make sure nothing bad gets on it so this file is automatically scanned, so to lump us in to why scan if you will ignore is not an accurate picture either as many other files we wouldn't blanket accept.", the word "us" means collectively the members of the forum, as in WE are cautious and do our due diligence the best we can buy running these files thru VirusTotal, using wireshark, isolating our networks, etc. to mitigate risks as much as we can. And if that plug-in is needed for the camera to work properly, then so be it because we are trying to mitigate the concerns the best we can.


Since you said you are new, let me give you a little "education" or knowledge that is known by many here regarding your statement "I believe it is in the best interest of all, sellers and customers, that more information on this issue comes out..... I hope there is a good answer and/or resolution to the reported issues"

We simply are not their target audience, it is the professional installers that are authorized to sell and install this gear, so we cannot purchase directly and thus they will not take your phone call for support related questions or suggestions - they will tell you to talk to the installer you purchased from for sales, support or firmware updates. And guess what, those installers don't care.

Many people have bought a "Hikvision" or "Dahua" from Amazon or some shady foreign website or even a legitimate 3rd party seller like Andy and when they call Hikvision or Dahua for support they basically tell them to go pound salt - we have dozens of threads were people come here after trying that route. We simply are not their intended market to sell to and they will not take your call for support...Lot's of threads here confirming this, including one from a few months ago where someone tried to call for support and they told them sorry talk to your installer.

And as I said, their intended market is mainly businesses where they have enough light they can stay in default settings so they don't have a need to login to the camera via a web browser and thus don't need to install the plug-in. So to Dahua and Hikvision and to their authorized installers, this is a non-issue.

It is us homeowners that push these to the limits and actually change settings. It sucks LOL, but we aren't the target market for these cams, so until their intended customer complains we are stuck with outdated browsers and plug-ins. So we either deal with outdated browsers and plug-ins but better cameras or go with crap consumer grade cameras that use fancy apps and modern browsers but horrible images.

So until their professional installers and their intended market demand or require it, we won't see it and us complaining they don't care is irrelevant because we are not their intended market. They are not going to reinvent the wheel and throw out all firmware and start new until there is a need from their intended market. They use their existing firmware as the base and build on it. Some cameras work better than others with different browsers, but IE and the plug-in is the sure browser to work with these cameras.

We are just fortunate to be able to get our hands on these types of cameras and a forum like this to help us troubleshoot when needed.

So we can complain all we want and say that is a dumb business practice and they should listen to us and blah, blah, blah, but we are not their targeted market and they are fine with not having us in their market share, just like Ferrari is fine not being in the sub $20K car market LOL.

TL : DR - we will not hear from Dahua regarding the safety of the plug-in. And even if we did, we would still isolate the camera.

 

[smiticans]

That is why I said "for many of their cameras"...

I didn't say it was absolute for EVERY camera, but someone may get their hands on an Axis camera from ebay or maybe even some specialty camera that still requires it.

Regardless, this is the link of the Axis website where I pulled the info and the latest release is 2021 for the download. Axis typically guarantees updates on their firmware thru the warranty period, which is for 5 years, so they could still have a cameras that are EOL but they are still supporting. So either it is still a thing for some cameras or they have an outdated website...

AXIS Media Control | Axis Communications

Decode H.264 video in Internet Explorer

www.axis.com

And just because Axis is very big on cyber security doesn't mean they can't be hacked...which is why we recommend isolating the cameras from the internet and mitigate as much risk as we can regardless of who makes the camera.

Did Axis got Hacked?

Axis.com has been down since last week. Another ransomware attack? https://status.axis.com

ipcamtalk.com

That's incorrect. Axis typically provides firmware updates on their cameras for about 10 years after the release of the product. Or according to their website, 6 years after the product is discontinued. The camera I purchased for my front door (Q3538-LVE) has Axis OS support until 12-31-2033. So in December of 2033, I will be able to update the Axis firmware on my camera that's 10-years old and still conform to the latest security updates and browser standards.

I did some research and it looks like Axis OS 7.10 added support for for Chrome and Firefox browsers which ended the requirement for the Axis Media Control plug-in. This firmware was released in the year 2017. Yes, Axis has long term support for their products. So just because the Media Control plug-in was updated in 2021, does not mean it was required or recommended at that time. They simple were supporting their older, legacy products.

We know Axis has firmware support for their cameras for about 10 years after launch and Axis updated their firmware to not require the plug-in in 2017 which was 7 years ago. So in theory, knowing Axis supports their firmware for 10 years after release, and that the plug-in was no longer required in 2017, we're talking a 17-year-old Axis camera would require Internet Explorer. Now I'll be a little more conservative and say Axis cameras that were released within the past 10 years do not require internet explorer.

So based on that, In my opinion, your statement, " Axis still recommends Internet Explorer for many of their cameras LOL." is egregiously incorrect and very misleading.

Now, I'm not an Axis expert. So if I'm wrong, that's fine. But please provide specific model numbers of Axis cameras that are newer than 10-years where Axis "recommends" internet explorer.


As far as cyber security, I never said Axis is hack proof. There isn't a product that can't be hacked. You should still follow cyber security procedures. However, Axis's cyber security is well above most of the other IP cameras on the market. Including but not limited to secure boot, TPM to prevent firmware tampering, signed video to prove the video recorded from the camera is authentic, ability to use https with signed certificates with support for zero-trust networking etc. etc.

 

[Timokreon]

I know I have asked this before, and knew the answer, but for the love of me, I can't find exactly where these files are located on Firefox and on Edge?

I'll tell ya, getting older really stinks. Need to start writing everything down in word/notepad or something. sheeze...

 

[wittaj]

That's incorrect. Axis typically provides firmware updates on their cameras for about 10 years after the release of the product. Or according to their website, 6 years after the product is discontinued. The camera I purchased for my front door (Q3538-LVE) has Axis OS support until 12-31-2033. So in December of 2033, I will be able to update the Axis firmware on my camera that's 10-years old and still conform to the latest security updates and browser standards.

I did some research and it looks like Axis OS 7.10 added support for for Chrome and Firefox browsers which ended the requirement for the Axis Media Control plug-in. This firmware was released in the year 2017. Yes, Axis has long term support for their products. So just because the Media Control plug-in was updated in 2021, does not mean it was required or recommended at that time. They simple were supporting their older, legacy products.

We know Axis has firmware support for their cameras for about 10 years after launch and Axis updated their firmware to not require the plug-in in 2017 which was 7 years ago. So in theory, knowing Axis supports their firmware for 10 years after release, and that the plug-in was no longer required in 2017, we're talking a 17-year-old Axis camera would require Internet Explorer. Now I'll be a little more conservative and say Axis cameras that were released within the past 10 years do not require internet explorer.

So based on that, In my opinion, your statement, " Axis still recommends Internet Explorer for many of their cameras LOL." is egregiously incorrect and very misleading.

Now, I'm not an Axis expert. So if I'm wrong, that's fine. But please provide specific model numbers of Axis cameras that are newer than 10-years where Axis "recommends" internet explorer.


As far as cyber security, I never said Axis is hack proof. There isn't a product that can't be hacked. You should still follow cyber security procedures. However, Axis's cyber security is well above most of the other IP cameras on the market. Including but not limited to secure boot, TPM to prevent firmware tampering, signed video to prove the video recorded from the camera is authentic, ability to use https with signed certificates with support for zero-trust networking etc. etc.

Since you have the certification and relationship with Axis, ask them why their website states it is the recommended method when using Internet Explorer...



After all, if someone is researching cameras, they would come across this page on their website...


Regardless though, as I said, whether a camera has downloaded plug-in that a computer antivirus will scan or not, you have to accept and trust the actual firmware in the camera isn't doing anything funny that would not be recognized by the antivirus program running on a computer.

To blindly accept or say a camera and its firmware is safer because it doesn't require a plug-in doesn't make it safer and results in a false sense of security...

At the end of the day, Dahua does annual revenue of about $4.5B to Axis at $1.6B, so it isn't like Dahua is some no-name here today, gone tomorrow company.

My entire point is don't trust these things to touch the internet and isolate them in your network the best you can.

 

[tangent]

I know I have asked this before, and knew the answer, but for the love of me, I can't find exactly where these files are located on Firefox and on Edge?

Just type about:plugins into the address bar of your browser and it will show you the path to any installed plugins.

 

[smiticans]

Since you have the certification and relationship with Axis, ask them why their website states it is the recommended method when using Internet Explorer...

View attachment 191563

After all, if someone is researching cameras, they would come across this page on their website...


Regardless though, as I said, whether a camera has downloaded plug-in that a computer antivirus will scan or not, you have to accept and trust the actual firmware in the camera isn't doing anything funny that would not be recognized by the antivirus program running on a computer.

To blindly accept or say a camera and its firmware is safer because it doesn't require a plug-in doesn't make it safer and results in a false sense of security...

At the end of the day, Dahua does annual revenue of about $4.5B to Axis at $1.6B, so it isn't like Dahua is some no-name here today, gone tomorrow company.

My entire point is don't trust these things to touch the internet and isolate them in your network the best you can.

Correct, the key word here is, "when using Internet Explorer". That plug-in was required for Axis Cameras that were being viewed with internet explorer. As stated in my previous post, Axis added support for Google Chrome and Firefox in 2017. They did not remove the ability to view Axis cameras with Internet Explorer at that time. So viewing them with Internet Explorer was still an option along with viewing them on other browsers without a plug-in.

Again, the sentence "Axis Meida Control is the recommended method for viewing video images in Microsoft Internet Explorer", simply means it is the recommended plug-in when using internet explorer. No where in that statement does it say Axis recommends using Internet explorer to view and administer it's cameras. No where. So again. Axis only recommends the Media Control plug-in when using internet Explorer. Axis does not say "internet explorer is the recommend browser for viewing Axis Cameras".

Internet Explorer went EOL in 2022 and Axis has not updated Axis Media Control since 2021. So it's very clear that Axis is not actively supporting Internet Explorer. so again, your statement "Axis still recommends Internet Explorer for many of their cameras" is incorrect. No where on Axis's website does it say Internet Explorer is the recommended browser for Axis cameras.

Also, I'm not blindly accepting Axis's firmware because it doesn't require a plug-in. Axis meets a set of standards including NDAA standards that Dahua cameras cannot and do not meet. I like Dahua cameras too. I think they're great for their price point and offer very good low light capability. However, I like Axis cameras better as they offer better support, better image processing, better integration and offer more such as radar units, outdoor speakers/horns and other security devices that can be natively integrated into a VMS platform.

 

[CCTVCam]

As said in one of the earlier threads, if you're worried submit the installer to one of the reputable AV companies for analysis. Tell them in the narrative that you believe it downloads malware so they don't just check the installer alone. I'm sure it will probably come back as a false positive, but that's the only way to find out.

 

[tangent]

Typically, if you extract the contents of the plugin installer from Dahua (with something like 7-zip) and upload the actual plug in not the installer to virus total often the false detections go away.

There are cameras with plugins that are infected with malware, but they typically come from mush smaller / less reputable brands.

You don't need the plugin anymore typically and most browsers these days won't even run it. There are a few random functions on the camera webpage that may not work without the plugin but you can get by without them.

 

[MarioBoo]

I tested the plugin of my Dahua ITC413 and virustotal said no virus found. I bet yours got infected somehow along the way.

Try this: install the camera on another pc and download the plugin there and scan it again to see if it is the same. Make sure the new pc/laptop is a new windows install and not connected in anyway to the first computer

 

[pc1]

Typically, if you extract the contents of the plugin installer from Dahua (with something like 7-zip) and upload the actual plug in not the installer to virus total often the false detections go away.

There are cameras with plugins that are infected with malware, but they typically come from mush smaller / less reputable brands.

You don't need the plugin anymore typically and most browsers these days won't even run it. There are a few random functions on the camera webpage that may not work without the plugin but you can get by without them.

1: See attached pdf file, listing the contents of the extracted plugin. Please advise which file(s) you identify as the actual plugin, and how you would install it.
2: The plugin is apparently required for some of the advanced useful features to function. (post 21)

 

[pc1]

I tested the plugin of my Dahua ITC413 and virustotal said no virus found. I bet yours got infected somehow along the way.

Try this: install the camera on another pc and download the plugin there and scan it again to see if it is the same. Make sure the new pc/laptop is a new windows install and not connected in anyway to the first computer

1: Please check the sha256 hash of your ITC413 plugin. If it's not 469705fb3df80c89c67927f4d07e0b3a22ce19811272e86789c18e26e35a8add, it's not the same plugin as used in the IPC-Color4K-T
2: see post 18
3: see post 11

 

[Peeper]

You don't need the plugin anymore ... There are a few random functions on the camera webpage that may not work without the plugin but you can get by without them.

I did not allow the plugin to install. My camera AI tripwire function does not work. All I can use for Event Detection is motion detect.

So instead of triggering only when a vehicle passes through a tripwire, I get motion events when the wind blows, a bird flies by, clouds move, and more. That is a significant difference to lose a major AI feature of the camera.

 

[MarioBoo]

1: Please check the sha256 hash of your ITC413 plugin. If it's not 469705fb3df80c89c67927f4d07e0b3a22ce19811272e86789c18e26e35a8add, it's not the same plugin as used in the IPC-Color4K-T
2: see post 18
3: see post 11

How can they have the same hash if yours is infected? Have you tried my suggestion yet? Isolation without connection to your network. It seems like you are stuck in your ways and don’t want any help.