The security firm Radware has come across two new forms of Denial of Service (DOS) malware that is not only attacking but bricking Internet of Things devices for as an yet unknown reasons.
The initial attacks began on 20 March when BrickBot 1.0 and 2.0 began pinging a Radware honeypot, Radware said in a security alert. Within four days, 1,895 PDoS pentration attempts were recorded from locations worldwide. The malware MO has it searching for open Telnet ports and then brute forces its way into the device, in a manner similar to Mirai. It then corrupts the targets storage destroying it, concluding what is called a Permanent Denial of Service (PDOS) attack.
“Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device,” Radware said.
The attacker uses BusyBox commands, which when combined with MTD and MMC special devices, lead only to Linux/BusyBox-based IoT objects being targeted, Radware said. Again, similar to Mirai.
BrickerBot 1.0's attack period ran out within a few days of launch, but BrickerBot 2.0 is not only still active, but is a much more dangerous opponent as these originate from TOR nodes effectively masking the attack source. Radware registered only 333 incidents BrickerBot 2.0 hits on the honeypot.
Researchers said there remain many unanswered questions about BrickerBot, most importantly why is someone interested in using the malware to destroy a device instead of for financial gain.
“All in all, BrickerBot isn't like anything we've seen before in the landscape of IoT malware. Most IoT malware strains try to hoard devices in massive botnets that are then used as proxies to relay malicious traffic or to launch DDoS attacks. Both of these are lucrative businesses for any cyber-criminal talented enough to hijack large numbers of IoT equipment,” said Lawrence Abrams, founder of Bleeping Computer.
One theory is the work is that of a vigilante, someone determined to wipe out unsecure or poorly secured devices similar to Linux.Wifatch which appeared in 2015, took over unsecure products and then executed commands to make the device more secure, Abrams said.