A new form of malicious code that targets Internet of Things devices with a Permanent Denial-of-Service attack may be more harmful than the infamous Mirai botnet.
First discovered by security company Radware Ltd., the PDoS attack bot, dubbed “BrickerBot,” scans the Internet for Linux-based routers, bridges and similar devices. When it finds a compatible device, one using the common BusyBox toolkit with default passwords in place, it launches a brute-force attack via open Telnet ports.
The brute force attack is the same infection path as Mirai. but that’s where the similarities end. BrickerBot doesn’t attempt to hijack the device to spread itself further. Instead, it runs a series of highly debilitating commands that wipe all the files stored on the device, corrupt the device’s storage and kill its Internet connection, quite literally “bricking” the device.
In the space of four days, Radware detected 1,895 infection attempts from BrickerBot on the first honeypot it set up and then 333 attempts on a second honeypot. In the first case, all the attacks came from IP addresses in Argentina while with the latter the attacks come from a anonymous Tor node, making them untraceable.
“When I discovered the first BrickerBot, I thought it was a drastic attempt to stop the IoT Botnet DDoS threat,” Radware researcher Pascal Geenens told Ars Technica. “I thought this was a competitor hacker who wanted to take out his competition and get access to the list of IP [addresses] of bots that were in the competitor’s botnet. But upon discovery of the second BrickerBot this theory changed … What motivates people to randomly destroy things? Anger, maybe? A troll, maybe?”
To block a potential BrickerBot attack, Radware recommends that device owners disable Telnet, change default factory passwords and implement security tools such as intrusion prevention systems that can lock down devices should they be targeted.