By now you have probably heard about Brickerbot, Hajime, and the growing problem of Internet of Things (IoT) botnets. This round-up will provide you with a number of comprehensive resources to bring you up to speed.
BrickerBot uses a network of globally distributed devices that are passively detecting exploit attempts from devices infected with IoT bots such as Mirai and Hajime. BrickerBot reacts to an exploit attempt by scanning the source of the exploit for a set number of ports, trying to secure the device (assumption based on Janit0r statements) and if not able to, ultimately attempting to brick the device using exactly 90 brick sequences over the telnet session.
As long as IoT devices stay clean from any of the known IoT bots, there is no reason to fear the BrickerBot. While Hajime might have the best of intentions and is trying to proactively protect IoT devices from known malicious bots, it inadvertently will trigger the wrath of BrickerBot.
When BrickerBot was discovered, it was the first time we’ve seen a botnet that would destroy an IoT device, making it unusable. We’ve had cameras in the lab for our research on the Mirai botnet, so one was volunteered to be the guinea pig. Watching our beloved research lab’s IP-enabled camera turn into a useless paperweight was somewhat bittersweet. We knew BrickerBot v1 aimed to destroy insecure IoT gear, and this was validation. We had to either take it apart and solder a serial connection to it to re-flash it, or just spend the $60 on a new one to continue our IoT botnet research.
A glimpse into the future of IoT Botnets
On Oct 16th, Sam Edwards and Ioannis Profetis from Rapidity Networks published a report on a new malware they discovered and named “Hajime.” The report came in the aftermath of the release of the Mirai source code and Mirai’s attacks on Krebs and OVH. Before Hajime was able to make headlines, Mirai was attributed to the attacks that took down Dyn on Oct 21st and lead to a large array of Fortune 500 companies such as Amazon, Netflix, Twitter, CNN, and Spotify being unreachable most of that day. Hajime evaded the attention but kept growing steadily and breeding in silence.
In early April, we identified a new botnet designed to comprise IoT devices and corrupt their storage. Over a four-day period, our honeypots recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage. Besides this intense, short-lived bot (BrickerBot.1), our honeypots recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.
Over the course of the last week, you have probably heard about the attacks designed to render Internet of Things (IoT) devices across the internet useless. We called the originator of the attacks “Brickerbot,” but should we have called it the “Batman of IoT”?