Pierluigi Paganini April 08, 2017

Security researchers have spotted a new threat dubbed Brickerbot botnet that causes permanent damage to Internet of Things (IoT) devices.

Months ago we anticipated the possible spike in the number of IoT botnets, at the beginning it was Mirai, but later other dangerous thingbot appeared in the wild such as the Leet Botnet and the Amnesia botnet.

Now a new botnet, dubbed Brickerbot, appeared in the threat landscape, it was spotted by researchers at Radware that have found many similarities with the dreaded Mirai botnet.

The main difference with Mirai botnet is that this threat permanently destroys poorly configured IoT devices.
The Brickerbot botnet was discovered on March 20 when researchers at Radware observed attacks against one of its honeypots.

“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage.”reads the analysis shared by Radware. “Besides this intense, short-lived bot (BrickerBot.1), Radware’s honeypot recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.”

The honeypot logged 1,895 infection attempts by Brickerbot botnet in just four days, most of the attacks were originated from Argentina, while 333 attempts came from a Tor node.

The Brickerbot botnet leverages on Telnet brute force to compromise an IoT device, a technique like the Mirai’s one.

The Bricker does not try to download a binary, this means that experts from Radware were not able to retrieve the complete list of credentials used by the bot brute force attempts, the researchers were only able to record that the first attempted username/password pair was ‘root’/’vizxv.’

“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.'” continues the advisory.

The malicious code targets Linux-based IoT devices running the BusyBox toolkit which have their Telnet port open and exposed on the Internet.

The PDoS attempt attacks s originated from a limited number of IP addresses, the IoT devices are exposing the port 22 (SSH) and running an older version of the Dropbear SSH server. The vast majority of the devices was identified by Shodan as Ubiquiti network devices.

Once the malware has infected the device it starts scrambling the onboard memory using rm -rf /* and disabling TCP timestamps. It also limits the max number of kernel threads to one.

Brickerbot malware also flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. It tries to wipe all code on the vulnerable IoT making them unusable.

Experts at Radware provided the following suggestions to protect IoT Devices:

• Change the device’s factory default credentials.
• Disable Telnet access to the device.
• Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
• User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
• An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Brickerbot botnet, IoT)