According to a researcher, a newly found malware could be an anti-botnet vigilante tool by bricking the IoT devices that are considered as insecure.
A researcher, Pascal Geenens, who discovered the BrickerBot malware told Cyberscoop that the newly found malicious software could be a creation of a vigilante hacker. The new malware is capable of attacking and destroying insecure connected Internet of Things (IoT) devices, abusing the same security flaws as the infamous Mirai botnet. Geenens said that it is not yet clear how many devices have been damaged by BrickerBot. Since the researcher discovered the new malware when two varieties of BrickerBot attacked his honeypot – a network of computers left on the internet as bait for cybercriminals – he does not clearly know what the impact could be against real IoT devices (the researcher’s honeypot did not contain any actual IoT devices).
BrickerBot’s work is quite simple: it attacks devices by trying to corrupt their firmware and flash memory. According to Geenens, the author could be a vigilante hacker who tries to punish both the careless users and the manufacturers, who designed the devices without any security or did not provide any support to secure the equipment.
“It could be a white-hat-turned-grey-hat,” Geenens said. “The damage might be total, to stop the device from working at all, or it might be almost unnoticeable … It might be more or less permanent.”
The researcher added that some kinds of damage could be fixed by rebooting the devices, however, other devices could be “bricked”, meaning that it is destroyed or rendered useless. Geenens said that none of the users had reported such attacks of the BrickerBot. According to him, webcams are the most vulnerable devices to the attacks of the malware.
In October, last year, hackers launched a devastating attack with using more than 500,000 IoT devices from China, Hong Kong, and South Korea to launch DDoS (distributed denial of service) attacks against victims to demand ransom in bitcoins. The malware recruited such devices into huge botnets, and used their internet connections to deluge targeted sites with fake traffic, knocking them offline in a DDoS attack. In December 2016, a hacker from the same group, known as “BestBuy” claimed that he infected approximately 3.2 million routers by his ineliminable malware, which cannot be fixed or eliminated with a firmware fix, factory reset or clearance of memory. To prove his claims, the hacker shared a live feed of device access updates with the media.
“It could be a black-hat hacker, whose botnet lost out, looking for revenge [on former competitors] by … eradicating the problem,” Geenens added that a furious botnet “herder” could be the creator of the BrickerBot.
According to the researcher, BrickerBot breaks into devices the same way Mirai does, by scanning the internet, looking for their connections and then trying a series of manufacturers’ default passwords. But once successfully connected, it does not install malware to propagate itself, as Mirai does. Instead, the malware sends the compromised device a series of commands designed to cripple it, principally by destroying embedded flash memory or other firmware components.
“My presumption is that those devices had been compromised,” said Geenens about the devices the first version of BrickerBot attacked. The first version of the malware infected about a dozen routers connected to the internet last month, all of them were running outdated operating system firmware.
After the attack stopped, four days passed, and the malware started attacking the researcher’s fake devices. BrickerBot launched 1,800 separate attempts to destroy the fake devices in Geenens’ honeypot.
The second version of BrickerBot, which had started within an hour of the first, continues to this day, the research said. It is much slower, attacking only every two hours, and the source is hidden since the attacks are launched over the Tor network hidden behind the dark web.
Now that Geenens’ report on BrickerBot has had quite some attention, the researcher suggested that the author of the malware to come forward in some fashion, perhaps even anonymously, to “enjoy some of the acclaims.”
“A look of people [have expressed admiration on social media for] what he’s done, so he might come out … Or he might get scared [at all the attention he’s generating] and stop,” the researcher said.
Geenens added that there will be copycats, either way.