BrickerBot malware kills open IoT devices

A new strain of malware is infecting and permanently damaging unsecured internet of things devices instead of enrolling them in distributed denial of service networks, researchers have found.

Two variants of the so-called BrickerBot malware have been spotted by security vendor Radware since March 20 attempting to perform phlashing, or permanent denial of service (PDoS) attacks, against IoT devices.

The security vendor said BrickerBot's honeypot recorded 1895 PDoS attempts by the first variant and 333 by the second. In both cases, the BrickerBots hide their network origin by using The Onion Router (TOR) egress nodes.

BrickerBot utilises the same exploit vector as the damaging Mirai worm. It attempts to access systems through the telnet remote access port, trying to guess the device administration credentials to log into it.

If BrickerBot succeeds, it issues a series of Linux shell commands to permanently damage the storage of the IoT device, Radware said.

The storage corruption is followed by further commands to disrupt the internet connection for the device, degrade its peformance and ultimately wipe all data on it, rendering it unusuable.

Radware said the first version of BrickerBot is no longer performing PDoS attacks, but the second variant is still active and better concealed through TOR egress nodes.

The security vendor did not say who it suspects is behind the worm or why it seeks to brick devices.

Radware advised customers with IoT devices to change the default credentials and disable telnet access.

The malware could be the work of a vigilante coder, seeking to close IoT devices used in denial of service attacks.

In 2003, the Welchia/Nachi worm spread throughout the world, attacking computers through a vulnerability in the Windows remote procedure call service. 

Welchia/Nachi searched for and deleted the Blaster worm which also spread via the RPC vulnerability, and would delete itself after 120 days of processing, or on January 1 2004, whichever came first.

This resulted in it being seen as a friendly or vigilante worm among some observers, but security vendors slammed Welchia/Nachi as a serious threat to enterprises.