Alexa New Silex malware bricks 2000 plus IoT devices

Dhaka, Wednesday   26 February 2020


New Silex malware bricks 2000 plus IoT devices

 Science & IT Desk

 Published: 03:09 PM, 27 June 2019   Updated: 04:21 PM, 27 June 2019

Representational Photo

Representational Photo

A new strain of malware is discovered which attacks the firmware of IoT devices. The reminiscent of the old BrickerBot malware also destroyed millions of devices back in 2017. 

The malware named Silex, that began operating on June 25 and had bricked around 350 devices when the investigation began. And within 1 hour, the malware quickly spiked to 2,000 wiped devices 

How Silex malware works 

According to Akamai researcher Larry Cashdollar, who first spotted the malware on June 25, Silex works by trashing an IoT device’s storage- dropping its firewall rules, removing the network configuration, and then halting the device.

It’s so much destructive as it can get without actually frying the IoT device circuits. To recover, victims must manually reinstall the device’s firmware, a task which is complicated for the majority of device owners.

“It’s using known default credentials for IoT devices to log in and kill the system,” said Cashdollar. “It’s doing this by writing random data from /dev/random to any mounted storage it finds.”

He also said, “I see in the binary it’s calling fdisk-l which will list all disk partitions and ‘writes random data from /dev/random to any partitions it discovers’.”

“It’s then deleting network configurations and It’s [running] rm-rf / which will delete anything it has missed,” he added. 

“It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device,” the Akamai researcher said.

Attacks mainly carried out from Iranian server

“It appears the IP address that targeted my honeypot is hosted on a VPS server owned by, which is operated out of Iran,” Cashdollar informed the source of these attacks.

“It’s targeting any Unix-like system with default login credentials,” according to him and said, “The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.”

This means Silex will trash mainly Linux servers if they have Telnet ports open and if they’re secured with poor or widely-used credentials.

Who’s behind Silex Malware? 

With the help of Newsky  Security researcher Ankit Anubhav, ZDNet reached out to the Silex malware author with a series of questions about the motives and grand master plan behind the malware. 

According to Anubhav, a 14-year-old teenager going online by the pseudonym of Light Leafon is responsible for the destructive malware. 

He confirmed the hacker’s identity by having him put a custom message on the Silex command and control (C&C) server, verifying the actual Silex operator.  

Light Leafon had created the HITO IoT botnet and had been interviewed by Anubhav, a month ago on an episode of his podcast on IoT botnets and security. 

“The project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex,” Light Leafon said. 

The teenager said he plans to develop the malware further and add even more destructive functions.

Attacks are still going on, according to malware’s creator, “They are about the intensify in the coming days.”  

There are plans such as adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use vulnerabilities to break into any devices. 

Legacy of BrickerBot 

The Silex malware is obviously inspired by the old BrickerBot strain, which was active between April and December 2017. 

The BrickerBot author, known as the pseudonym of the Janit0r, claimed he permanently or temporarily destroyed over ten million IoT devices. 

Janit0r motivated the attacks as a form of protest against owners of smart devices that were constantly getting infected with the Mirai DDoS malware.

The BrickerBot author argued that it would be better if the devices were destroyed, rather than sit around as cannon fodder for DDoS botnets, and haunting the internet for years. 

The Janit0r’s year-long bricking got some internet service providers to secure their networks against some attack vectors, albeit BrickerBot’s impact could never be fully quantified. 

But unlike the Janit0r, Light did not offer any motive for his actions, as of now. He didn’t put out a manifesto like the Janit0r did after BrickerBot attacks began, to justify any of his actions.

As of now, all of the Silex attacks appear to have been carried out as a joke, or out of malice. 

But there is bad news for Light is that unlike the BrickerBot author, who left a minimal trail of footprints that authorities could follow, Light might have made several OpSec mistakes along the way that may end up costing him in the long run.