BrickerBot Malware ‘Disables Two Million Devices’

A malware family first identified late last month has already rendered millions of Internet-connected devices useless, according to its author.

The BrickerBot malware is aimed at disabling devices that are vulnerable to infection by botnets such as Mirai, which draws on their computing power to launch denial-of-service attacks.

Devices ‘bricked’

Like Mirai, BrickerBot attacks devices such as routers and security cameras that run a stripped-down set of Unix tools called BusyBox, have a telnet-based interface exposed to the public Internet, and use factory-default security credentials.

Researchers say BrickerBot overwrites vulnerable devices’ memory with random data in such a way that in some cases they can’t be recovered even via a factory reset.

But the malware doesn’t merely seek to destroy such devices, according to an individual confirmed by security researcher Victor Gevers as BrickerBot’s author.

BrickerBot first attempts to secure devices without damaging them, said the individual, known only by the pseudonym “Janit0r” used in a few posts on the notorious Hack Forums website.

“The bricking behavior is a ‘plan B’… for units which are unlikely to be securable,” Janit0r told technology news website Bleeping Computer.

Two million disabled

The BrickerBot family had disabled about 200,000 devices as of January, rising to more than 2 million in late April, Janit0r said.

“Now when the count is over two million it’s clear that I had no idea (and still have no idea) how deep the rabbit hole of IoT insecurity is,” the hacker wrote. “I’m certain that the worst is still ahead of us.”

Janit0r said the code, like the Hajime malware family that surfaced last October, is intended as a kind of “chemotherapy” to help manage the immediate threat posed by vulnerable Internet-connected devices.

“I hope the unconventional actions by ‘BrickerBot’ have helped in buying another year of time for governments, vendors and the industry in general to get the current IoT security nightmare under control,” Janit0r wrote.

Security firm Radware said it has come across four BrickerBot variants to date, noting that the malware appears to be launched from a Mirai-like botnet of its own, but one with only a “limited number” of IP addresses.

‘Clear and present danger’

The firm said it couldn’t verify Janit0r’s claims of the number of devices affected so far, but said the attacks appear likely to continue for the time being.

“BrickerBot.3 poses a clear and present danger for any IoT device with factory default credentials,” Radware said in an advisory.

The company said users of vulnerable devices should change their factory-default login credentials and to disable telnet access.

An earlier Radware alert on BrickerBot spurred similar advice in an advisory earlier this month from the US Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Do you know all about security in 2017? Try our quiz!