BrickerBot Malware Destroys IoT devices Instead of Recruiting Them

  • 11 May 2017
  • Cas Proffitt

BrickerBot is an aptly named IoT malware program–it quite literally “bricks” any affected IoT device. BrickerBot follows a similar attack vector to the Mirai malware that we have mentioned previously, invasion via Telnet brute force. No, BrickerBot will not recruit IoT devices into a super secret club for attacking other devices around the world, it just shuts them down permanently, an attack known as PDoS or Permanent Denial of Service.


How was it found?

BrickerBot was first reported in a post on the RadWare Security blog. RadWare found the virus through the use of their honeypot devices, which they use to lure in and examine new forms of malicious code. When it was found, RadWare reported seeing two parallel waves of attack.


The first wave shut down internet traffic, shut down TCP/IP timestamping, limited the maximum number of active kernel threads to one, and cleared all of the files from the device.After all of those things were done, it issued an order to drop all outgoing packets, and then rebooted the device. The TOR Network was not used to conceal the location of these malware attacks.


The second wave behaved very similarly to the first, except it attacked from the TOR network and had additional code to remove all ip routing tables, NAT and firewall rules. In total, RadWare received 1,895 PDoS attempts from the two strains of BrickerBot malware.

What devices are targeted?

BrickerBot malware targets IoT-enabled devices that run on the open-source Linux version BusyBot. By seeking out devices running specific versions of BusyBot with Telnet port 22 open to the public, BrickerBot identifies targets it can penetrate through a brute force attack, and then it infiltrates them on the administrator level.


How does it work?

BrickerBot attempts to access Telnet remote access port 22 and force its way inside the device with a dictionary of known factory passwords. After breaking into the remote access port with administrator credentials, BrickerBot proceeds to clear ip routing tables, cripple flash memory and other firmware, limit the maximum number of parallel kernel strings to 1, and send a command to drop all outgoing packets.


BrickerBot can effectively render a device permanently unusable. It is currently unknown if BrickerBot has attacked and destroyed significant numbers of IoT devices, as it only targeted webcams in RadWare honeypot devices. The first strain of BricketBot malware has ceased attacking and the second attacks much more slowly, with anonymity.


How do you stop it from attacking your devices?

BrickerBot does nasty things to Linux-based IoT devices, but how do you protect yourself? The simplest answer, for general users is to change the password on every IoT device you get before doing much of anything with it. By changing the default password, users make it nearly impossible for BrickerBot to operate by blocking its access to the device.


Changing the password is the easiest way to block BrickerBot, but turning off Telnet remote access to the device will make it impossible for BrickerBot to access the device as it stands currently. Telnet port 22 is the primary access method at this time.


BrickerBot malware allows the creator(s) to cripple devices that would be vulnerable to Mirai Botnet malware. It is currently under speculation whether or not BrickerBot was created to combat Mirai software for white or grey-heat purposes, or if it was a malicious hacker turned rogue, trying to destroy the Mirai network.

About Cas Proffitt

Cas is a B2B Content Marketer and Brand Consultant who specializes in disruptive technology. She covers topics like artificial intelligence, augmented and virtual reality, blockchain, and big data, to name a few. Cas is also co-owner of an esports organization and spends much of her time teaching gamers how to make a living doing what they love while bringing positivity to the gaming community.