A New Malware Called Silex Targets IoT Devices
A hacker named Light Leafon, who claimed to be 14, was responsible for a new IoT worm called Silex, which targets any system that looks like UNIX when trying to connect to default credentials. Upon gaining access, the malware lists all installed volumes and writes them from /dev/random until they are filled. Then the firewall rules are removed from the device, the network configuration is deleted and a restart is triggered. It does not make sense until someone tries the complex process to download and reinstall the device firmware.
The worm has attacked at least 2,000 devices since its launch and is discriminatory enough to eliminate misconfigured GNU/Linux servers. At least some examples of worms come from novinvps.com from Iran. Ankit Anubhav of NewSky Security told ZDNet that he had contacted the author of the “Light Leafon” worm, who said he was 14 years old. Anubhav had previously contacted Leafon when he launched HITO a precursor to Silex, which attacked IoT devices last month. Anubhav calls Leafon “one of the most recognizable and talented players on the Internet of Things today”.
The teenager said he plans to develop this malware and add more destructive features. Plans include adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use the vulnerabilities to break into devices, similar to how most IoT botnets operate today.
“My friend Skiddy and I are going to rework the whole bot,” Light told us. “It is going to target every single publicly known exploit that Mirai or Qbot load.”
How it works?
According to Larry Cashdollar, Akamai researcher who discovered this malware, Silex destroys the IoT device memory, eliminates firewall rules, removes network configuration and shuts down devices.
It’s just as destructive, without really frying an IoT device circuit. To recover, the victim must manually reinstall the device firmware, which is too complicated for most device owners.
Some owners will abandon their device thinking they have encountered a hardware failure, and unaware that they have been attacked by a malware.
“It’s using known default credentials for IoT devices to log in and kill the system,” Cashdollar told ZDNet in an email today. “It’s doing this by writing random data from /dev/random to any mounted storage it finds.
“I see in the binary its called fdisk -l which will list all disk partitions,” Cashdollar added. “It then writes random data from /dev/random to any partitions it discovers.”
“It’s then deleting network configurations, […] also, it’s [running] rm -rf / which will delete anything it has missed.”
“It also flushes all iptables entries, adding one that DROPS all connections. Then halting or rebooting the device,” the researcher said.
History of Brickerbot
The Silex malware is clearly inspired by the old BrickerBot strain, which was active between April and December 2017.
The author of BrickerBot, known as Janit0r, has stated that he has permanently or temporarily destroyed more than ten million IoT devices.
Janit0r motivated the attack as a form of protest against the owners of smart devices that were constantly infected with Mirai DDoS malware at the time. The BrickerBot authors argue that it would be better if the device were destroyed than to remain as a cannonball for the DDoS botnet and continue to operate the Internet for years.
The year of Janit0r’s work allows several ISPs to protect their networks against multiple attack vectors, although the impact of BrickerBot can never be fully quantified.
But unlike Janit0r, Light Leafon does not excuse his actions as they are now. He did not publish a manifesto like Janit0r to justify his actions. As of now, it is not clear if Silex is out of malice or it is just to scare the IoT world.