A new, more aggressive version of the BrickerBot malware that has compromised and destroyed the memory of IoT devices is now making the rounds, using a familiar infection vector and going after devices with intense bursts of activity.
BrickerBot is a spiritual descendant of Mirai, the IoT-specific malware that has been attacking a variety of embedded devices for months. The difference between BrickerBot and Mirai, though, is that the former doesn’t just infect IoT devices, it also permanently corrupts their memory. The malware’s objective is to take these IoT devices off the board so they can’t be dragged into a Mirai botnet and used in DDoS attacks. Now, researchers have discovered a new version of BrickerBot that follows some of the behavior of its predecessors but also has some new functionality.
“Compared with the original BrickerBot.1, the sequence of commands is very similar. It does not start with fdisk – but goes straight to business. The first six block devices it tries to corrupt (up to and including /dev/ram0) correspond with the BrickerBot.1 attack. The devices mtd0,1 and mtdblock1,2,3 are new for the Busybox version of BrickerBot,” Pascal Greenens of Radware wrote in an analysis of the new version.
“The fdisk commands to try to change the geometry of the block devices are identical to what BrickerBot.1 attempted. The end sequence again tries to disrupt connectivity by removing the default route and disabling TCP timestamps, wiping the root and limiting the number of kernel threats to one.”
BrickerBot.3, as the new version is known, uses the same infection vector that earlier versions of the malware, and Mirai, has used. All of these strains of IoT malware look for devices that have exposed Telnet connections with factory default credentials, and they tend to favor IP cameras and DVRs. BrickerBot variants run a series of commands on infected devices that disconnect them from their network and essentially disable them.
The Department of Homeland Security’s ICS-CERT has issued a warning about BrickerBot and is recommending that users disable Telnet connections to potentially targeted devices and change any default credentials.
“ICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack,” the advisory says.
Radware’s Greenens said in his analysis that BrickerBot.3 came out of the box with an intense burst of activity, which then dropped off.
“During the first 12 hours of the attack, a total of 1,118 PDoS attempts were recorded. The attacks all originated from a limited number of clear net IP addresses,” he said.
Image: Quinn Dombrowski, CC by-sa license.