A new form of attack code has come to town and it uses techniques similar to Mirai to permanently scramble Internet of Things devices.
On March 20 researchers at security shop Radware spotted the malware, dubbed Brickerbot, cropping up in honeypots it sets up across the web to lure interesting samples. In the space of four days, one honeypot logged 1,895 infection attempts by Brickbot, with the majority of attacks coming from Argentina, and a second logged 333 attempts – untraceable as they came from a Tor node.
"The Bricker Bot attack used Telnet brute force – the same exploit vector used by Mirai – to breach a victim's devices," Radware's advisory states.
"Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv.'"
The malware targets Linux-based IoT devices running the BusyBox toolkit, and seems to have a particular affinity for Ubiquiti network devices, which have their own security issues. Once inside the operating system, the code starts to scramble the onboard memory using rm -rf /* and disabling TCP timestamps, as well as limiting the max number of kernel threads to one.
Brickerbot then flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. Finally it tries to wipe all code on the affected devices and render them useless – a permanent denial of service.
To block the attack, the key factor is disabling Telnet and changing the device's factory-set passwords. Radware also recommends using intrusion prevention systems to lock down devices