Page 83 - Cyber Warnings August 2017
P. 83

PERMANENT REMEDIATION:  BRICKERBOT

               by Charles Parker, II; Cybersecurity Lab Engineer

               Malware over the last few years has had a rather predictive algorithm of attack with the end goal
               of compromise and providing the user with the opportunity to pay a fee for their file’s decrypt
               key. A novel iteration of this has proven to fix a problem intriguing the internet-insecure IoT
               devices.

               These have directly been a detriment manifested in the form of increasingly large DDoS attacks,
               taking down industry commentators, ISPs, and too many others. This threat continued to grow
               as more insecure IoT devices were placed in service by consumers and others.

               At a point in time, the industry began to grow weary of this self imposed vulnerability, a critical
               mass was achieved. A programmer became utterly tired of the attacks and constant apathy. The
               “malware” author though the industry would have done something to fix this - a new standard
               imposed, mandate, or something along these lines. The industry and leading forces did not, and
               the nefarious activities continued, uninterrupted. The increasing size and effect of the attacks
               were starting to be disruptive.

               To remediate the issue, as no other was actively pursuing this, Brickerbot was coded and
               released into the wild by TheJanit0r. This has been very active in the environment. Over a four
               day span, a vendor’s honeypot detected 1,895 PDoS (permanent denial of service) attempts.
               These were originated from across the globe. TheJanit0r, noting the first iteration may not be as
               effective in the near future, or to test a new version, created a second iteration. This was
               detected on the same day within an hour of the first version. A third iteration was created and
               was markedly different than the first two. The third iteration attacked a larger number of devices
               in a much quicker fashion. The script and methodology was adjusted to have encapsulated a
               short but intense number of attacks.


               Attack
               The focus of the attack is only insecure IoT devices. The only focus of the orchestrated attack is
               to compromise the insecure user’s IoT device and corrupt the device’s storage. This operates
               as a PDoS and bricks the device. This operates by attempting to brute force attacks the device’s
               telnet service. This attack methodology was also used by Mirai. The malware’s first attempt
               combines the username and password was ‘root’ and ‘vizxv’.

               After the compromise, the bot performs a series of commands that corrupts the storage, then
               ceases connectivity. This also removes the default gateway. To add insult to injury, the last
               stage of the attack the files are wiped from the device. A factory reset does nothing to recover
               any functionality.

               As noted, the attack did originate from across the globe, but were from a limited number of IPs.


                    83   Cyber Warnings E-Magazine – August 2017 Edition
                         Copyright © Cyber Defense Magazine,  All rights reserved worldwide.
   78   79   80   81   82   83   84   85   86   87   88