New Silex malware bricks 2000 plus IoT devices
Published: 03:09 PM, 27 June 2019 Updated: 04:21 PM, 27 June 2019
A new strain of malware is discovered which attacks the firmware of IoT devices. The reminiscent of the old BrickerBot malware also destroyed millions of devices back in 2017.
The malware named Silex, that began operating on June 25 and had bricked around 350 devices when the investigation began. And within 1 hour, the malware quickly spiked to 2,000 wiped devices
How Silex malware works
According to Akamai researcher Larry Cashdollar, who first spotted the malware on June 25, Silex works by trashing an IoT device’s storage- dropping its firewall rules, removing the network configuration, and then halting the device.
It’s so much destructive as it can get without actually frying the IoT device circuits. To recover, victims must manually reinstall the device’s firmware, a task which is complicated for the majority of device owners.
“It’s using known default credentials for IoT devices to log in and kill the system,” said Cashdollar. “It’s doing this by writing random data from /dev/random to any mounted storage it finds.”
He also said, “I see in the binary it’s calling fdisk-l which will list all disk partitions and ‘writes random data from /dev/random to any partitions it discovers’.”
“It’s then deleting network configurations and It’s [running] rm-rf / which will delete anything it has missed,” he added.
“It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device,” the Akamai researcher said.
Attacks mainly carried out from Iranian server
“It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran,” Cashdollar informed the source of these attacks.
“It’s targeting any Unix-like system with default login credentials,” according to him and said, “The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.”
This means Silex will trash mainly Linux servers if they have Telnet ports open and if they’re secured with poor or widely-used credentials.
Who’s behind Silex Malware?
With the help of Newsky Security researcher Ankit Anubhav, ZDNet reached out to the Silex malware author with a series of questions about the motives and grand master plan behind the malware.
According to Anubhav, a 14-year-old teenager going online by the pseudonym of Light Leafon is responsible for the destructive malware.
He confirmed the hacker’s identity by having him put a custom message on the Silex command and control (C&C) server, verifying the actual Silex operator.
Light Leafon had created the HITO IoT botnet and had been interviewed by Anubhav, a month ago on an episode of his podcast on IoT botnets and security.
“The project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex,” Light Leafon said.
The teenager said he plans to develop the malware further and add even more destructive functions.
Attacks are still going on, according to malware’s creator, “They are about the intensify in the coming days.”
There are plans such as adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use vulnerabilities to break into any devices.
Legacy of BrickerBot
The Silex malware is obviously inspired by the old BrickerBot strain, which was active between April and December 2017.
The BrickerBot author, known as the pseudonym of the Janit0r, claimed he permanently or temporarily destroyed over ten million IoT devices.
Janit0r motivated the attacks as a form of protest against owners of smart devices that were constantly getting infected with the Mirai DDoS malware.
The BrickerBot author argued that it would be better if the devices were destroyed, rather than sit around as cannon fodder for DDoS botnets, and haunting the internet for years.
The Janit0r’s year-long bricking got some internet service providers to secure their networks against some attack vectors, albeit BrickerBot’s impact could never be fully quantified.
But unlike the Janit0r, Light did not offer any motive for his actions, as of now. He didn’t put out a manifesto like the Janit0r did after BrickerBot attacks began, to justify any of his actions.
As of now, all of the Silex attacks appear to have been carried out as a joke, or out of malice.
But there is bad news for Light is that unlike the BrickerBot author, who left a minimal trail of footprints that authorities could follow, Light might have made several OpSec mistakes along the way that may end up costing him in the long run.
- 25 killed as bus carrying wedding party falls into river
- Orders to confiscate bank accounts of 20 along PK Halder upheld
- Bassbaba Sumon may get crippled for life!
- CUET students raise voice against uniform admission test system
- Papiya used 12 Russian beauties as bait for VIPs
- Joint initiative to resolve Rohingya crisis recommended
- Man, accused in 14 cases, killed in Kushtia gunfight
- Coronavirus in China gets incursive with death toll rising
- Litun Jira now wins scholarships
- Paturia-Daulatdia ferry services resume
- 172 students to get Prime Minister Gold Medal
- Death toll climbs to 20 in Delhi clashes
- Barcelona draw with Napoli
- ‘Coronavirus outbreak is inevitable in US’
- South Africa faces Australia today
- Paturia-Daulatdia ferry services suspended
- 2 motorcyclists killed in Demra road crash
- Motorcycle accident kills 2 women in Banani
- 200 yrs old silver coins recovered from abandoned house
- Delhi clash: Death toll rises to 13
- Housewife committed suicide in Pirojpur
- Average life expectancy will be 80 by 2041
- Principal among 4 held for killing madrasa girl after rape
- $3 billion defense deal signed between US and India
- Deputy Health Minister of Iran contracts coronavirus
- Pranab, Bidhya Devi to address JS special session
- Realme launches ‘Made in Bangladesh’ phone
- `Maldives` experience should be utilized in tourism development`
- Pilkhana Tragedy: Nation pays homage to martyrs
- 2 pharmacies fined Tk 50,000 in Brahmanbaria
- All News »
- 1.10 min video of Papiya leaked
- Papiya expelled from Jubo League
- Excellent puzzled day after 808 yrs
- Arms, alcohol recovered from Papiya’s residence
- Amar Ekushey and International Mother Language Day today
- Two doctors die of coronavirus within 24hrs
- Coronavirus death toll crosses 2000
- Hundreds of thousands of mussels dead in New Zealand heatwave
- Salman Shah commits suicide, not murdered: PBI
- Coronavirus: 2363 died, nearly 78 thousand infected
- Father of cut-copy-paste dies
- Fly to space at TK 6 cr only!
- 3 killed after crane crashes on sets of Kamal Haasan
- PM critical of speaking Bangla in English accent
- Crowd erupted at Shaheed Minar
- Sufi Mizan: A hawker for social service
- Tk 200 bank notes, gold and silver coins to be launched
- Coronavirus reaches Iran: report
- Bangladeshi infected with coronavirus in UAE
- 15 new coronavirus cases in S Korea, bringing total to 46
- President, PM pay homage to Language Heroes
- BUET avoids combined admission test
- Pilkhana carnage day today
- PM hands over Ekushey Padak-2020
- Man City, Man United, Inter Milan to play today
- Zimbabwe opt to bat in Dhaka Test
- Kidney Specialist without certificate!
- Mid-air plane collision in Australia kills 4
- 3 children among 4 dead in ‘horrific’ Australia car fire
- Video of principal’s dance in Hindi songs goes viral