Silex malware bricks thousands of IoT devices in a few hours

Security experts warn of a new piece of the Silex malware that is bricking thousands of IoT devices, and the situation could rapidly go worse.

Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of IoT devices, over 2,000 devices have been bricked in a few hours and the expert is continuing to see new infections.

Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system.

The only way to recover infected devices is to manually reinstall the device’s firmware.

Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide.

According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days.

“The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet.

“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.”

The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices.

Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet,

According to Cashdollar, the Silex malware uses a list of known default credentials for IoT devices in the attempt to log in and perform malicious actions. The malware writes random data from /dev/random to any mounted storage it finds.

“I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.”

The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device.

The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS.

The malware could brick Linux servers having Telnet ports open that use known credentials.

The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.

According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex).

At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Silex malware, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]