A new piece of malware that is using default credentials to log into IoT devices and then erase their file systems and shut them down is on the move, but it may not end up having the reach that it’s alleged creator intended.
The malware is called Silexbot and a researcher at Akamai discovered it this week when he saw the binary on a honeypot and noticed some oddities in the code. The first thing Larry Cashdollar, a senior security researcher at Akamai, saw was a string that was a comment from the malware’s creator, saying that Silexbot was designed as a response to all of the low-level attackers who are building botnets of compromised IoT devices using publicly available malware samples. Silexbot is particularly vicious in the way that it goes after embedded devices, taking several steps to ensure that once the device is compromised, it is rendered useless.
The malware uses known, default credentials for various devices to log in to them over Telnet and then essentially destroys the device’s firmware. It first uses a command to list all of the device’s partitions and then writes random data into all of those partitions. Silexbot then removes all of the device’s network configurations and adds a firewall rule that will drop all packets going into or out of the device. It then stops the device and reboots it.
Cashdollar said the binary he recovered from his honeypot is an ARM binary and that the malware is targeting any device that looks like a Unix or Linux device. Cashdollar’s honeypot device emulates a DVR and he said he first noticed the Silexbot malware when he rebooted the honeypot after moving it to a new piece of hardware recently. What he saw when he turned the honeypot back on was the message from the Silexbot author. The message said the author was sorry for what he was doing but it had to be done to stop script kiddies from building IoT botnets.
“I’m not sure they realized some of the collateral damage that could be there. Something motivated this kid to destroy these devices.”
The Silexbot author has been identified as a 14-year-old boy and the message in the code certainly reads like a ninth-grade English teacher’s nightmare.
“I am only here to prevent skids to flex their skidded botnet I am sorry for your device but it has to be done because all the skids claiming and thinking they are some god coder + people selling spots on botnets I am getting sick of it so yeah sorry,” the message in the Silexbot code says.
IoT botnets have been a real threat for several years, most notably in the form of Mirai, which became an enormous network of infected IP cameras, DVRs, and other devices. Mirai was used in several large DDoS attacks, including one that targeted Dyn, a DNS provider in New Hampshire. That attack in October 2016 had a cascading effect that resulted in some of the most popular sites on the Internet being knocked offline, including Amazon, Twitter, the New York Times, and Spotify. Mirai was actually several smaller botnets controlled by various groups at various times, and some of the controllers would rent out access to their botnets. That’s a common occurrence in the DDoS world, with botnet controllers looking for any way to make money from their networks of compromised devices.
The Silexbot author doesn’t appear to support this particular business model. Cashdollar said the author contacted him on Twitter and expressed some remorse for his actions.
“They tracked me down on Twitter and said they didn’t realize it was going to get this much attention and that they were worried they were going to get in trouble,” Cashdollar said. “I’m not sure they realized some of the collateral damage that could be there. Something motivated this kid to destroy these devices.”
The IP address from which the Silexbot malware was delivered to Cashdollar's honeypot was on a virtual private server in Iran, but that's not necessarily a clear indication of where the creator is.