BrickerBot malware forms a Permanent Denial-of-Service (PDoS) botnet
BrickerBot malware forms a Permanent Denial-of-Service (PDoS) botnet. The BrickerBot malware has been detected on honeypot servers maintained by DDoS protection company Radware. It describes the type of attack as a “permanent denial-of-service” (PDoS).
“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage,” warned the company in a Threat Advisory.
The company claims to have picked up two distinct, different waves of what it has called BrickerBot from different bot-nets. The second, it claims, was concealed by Tor egress nodes.
This form of attack is becoming increasingly popular, Ron Winward, Radware security evangelist, said. He announced the discovery at the Data Center World conference taking place this week at the Los Angeles Convention Center.
“Upon successful access to the device,” said Winward, “the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt internet connectivity, device performance, and the wiping of all files on the device.”
“The BrickerBot PDoS attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim’s devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv’,” warned the company.
By exploiting security flaws or bad configurations, PDoS can destroy the firmware and/or basic system functions. It is different from its well-known cousin, the DDoS attack, which overloads systems with requests meant to saturate resources through unintended usage.
The attacker’s motive has confounded cybersecurity experts because it destroys without benefiting the destroyer. They suspect it could be the work of a vigilante who wants to alert users to unsecured devices.
Victor Gevers of GDI.foundation is however critical of the approach and believes that, “Instead of bricking you could also allow the devices to still work and just patch the vulnerability.”
All in all, BrickerBot isn’t like anything we’ve seen before in the landscape of IoT malware. Most IoT malware strains try to hoard devices in massive botnets that are then used as proxies to relay malicious traffic or to launch DDoS attacks. Both of these are lucrative businesses for any cyber-criminal talented enough to hijack large numbers of IoT equipment.
BrickerBot’s destructive capabilities are something new, which don’t benefit anyone. Not BrickerBot’s author, and certainly not the device owner, who’ll have to reinstall firmware, or even worse, buy a new device.
BrickerBot could also be the work of an Internet vigilante that wants to destroy insecure IoT devices. A similar malware strain first appeared in October 2015.
Called Linux.Wifatch, this IoT malware strain took over insecure routers and then executed commands that improved the device’s security. The creators of this malware open-sourced the code on GitLab, also explaining the reasons why they created the malware to begin with, claiming they had no bad intentions.