BrickerBot, Mirai and the IoT Malware Knife Fight
The IoT landscape is becoming a battleground for all manner of malware, with some variants fighting for control of infected devices and authors racing to get their creations onto as many devices as possible.
The OG of the IoT malware scene is Mirai, the famous worm that has been spreading to many kinds of devices since last year. A variety of attackers have used Mirai to form botnets both small and large made up of compromised devices such as DVRs and IP-enabled security cameras. Those botnets have been used in many DDoS attacks, some of which have caused serious problems, including an attack that took down a major DNS provider, setting off a chain reaction of outages across the Internet.
Recently, a newer variant known as Hajime has emerged, targeting some of the same devices that Mirai is going after, but with a different motive. The Hajime worm is closing some of the ports that Mirai is known to use during infections, effectively shutting those devices down for further infections. Now, there’s yet another vigilante-style IoT worm that’s looking to make things more difficult for Mirai.
The BrickerBot malware has joined the fray and it is taking things a couple of steps further than Hajime. Rather than simply closing the ports used for infection, BrickerBot destroys the memory of the devices it infects, rendering them useless. There are several different versions of the BrickerBot malware, all of which follow a similar infection and memory corruption routine, and the goal of the malware’s creator appears to be preventing Mirai and other IoT malware from gaining new recruits for their botnets.
“Compared with the original BrickerBot.1, the sequence of commands is very similar. It does not start with fdisk – but goes straight to business. The first six block devices it tries to corrupt (up to and including /dev/ram0) correspond with the BrickerBot.1 attack. The devices mtd0,1 and mtdblock1,2,3 are new for the Busybox version of BrickerBot,” Pascal Greenens of Radware wrote in an analysis of the new version of BrickerBot.
The phenomenon of one piece of malware fighting it out with another one for control of a given device is not a new one. There have been a number of other examples of this happening over the years, but it typically involves two or more pieces of malware that are trying to accomplish the same goal, such as stealing data or installing a backdoor for future use. The interesting thing about BrickerBot is that its author doesn’t seem to be interested in the devices themselves, but is focused on not letting Mirai or other rival malware strains get access to them.
The alleged creator of BrickerBot, who goes by the handle Janit0r, has said that he created the malware as a way to lock down vulnerable IoT devices and show manufacturers how lax their security is. That’s a much more extreme version of the old full disclosure philosophy that dictates publishing details about a security vulnerability in order to force a recalcitrant vendor into fixing it. While that tactic has proven useful over the years, compromising devices in order to secure them or make them invulnerable to further infections is taking things to a different level.
IoT security in general is lax, to put it politely. Security researchers have been warning manufacturers for years about the underlying weaknesses in their devices, with few notable successes. As more and more IoT devices come online, the attack surface will continue to grow unless some drastic changes are made, which seems unlikely, at least in the near term. It’s up to the hardware and software vendors to right the ship, but until that happens, we’re likely to see more malware like BrickerBot and Hajime and Mirai emerge to take advantage of the situation.