Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

IoT malware starts showing destructive behavior

Lucian Constantin | April 10, 2017
Researchers have observed attacks against IoT devices that wipe data from infected systems.

IoT malware starts wiping data from infected devices.

Hackers have started adding data-wiping routines to malware that's designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.

Researchers from Palo Alto Networks found a new malware program dubbed Amnesia that infects digital video recorders through a year-old vulnerability. Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it's running inside a virtualized environment.

The malware performs some checks to determine whether the Linux environment it's running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots.

Virtual machine detection has existed in Windows malware programs for years, but this is the first time when this feature has been observed in malware built for Linux-based embedded devices. If Amnesia detects the presence of a virtual machine it will attempt to wipe critical directories from the file system using the Linux "rm -rf" shell command in order to destroy any evidence they might have collected.

Meanwhile, researchers from security services provider Radware discovered a different malware attack, aimed at IoT devices, that they've dubbed BrickerBot. This attack is launched from compromised routers and wireless access points against other Linux-based embedded devices.

The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device's mounted partitions. It also attempts to kill the internet connection and render the device unusable.

While some devices might survive the attack because they use read-only partitions, many won't and will need a firmware reflash. Also, any configurations will likely be lost and, in the case of routers with USB ports or network attached storage devices, data from external hard drives might also be wiped.

In fact, one of the BrickerBot attack variations is not even limited to embedded and IoT devices and will work on any Linux-based system that is accessible over Telnet, if it has weak or default credentials.

It's not clear what is the goal behind the BrickerBot attacks. The malware's creator might be someone who wants to disable vulnerable devices on the Internet so they cannot be infected and abused by other hackers.

Some of the largest distributed denial-of-service (DDoS) attacks observed over the past year have originated from botnets made up of hacked IoT devices, so the intention might be to force users to take action and fix or replace their vulnerable devices.

 

1  2  Next Page 

Sign up for CIO Asia eNewsletters.