Hot Topics

Home » Cybersecurity » SBN News » An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

An IoT worm Silex, developed by a 14 year old resulted in malware attack and taking down 2000 devices

by Amrata Joshi on June 28, 2019

This week, an IoT worm called Silex that targets a Unix-like system took down around 2,000 devices, ZDNet reports. This malware attacks by attempting a login with default credentials and after gaining access.

Larry Cashdollar, an Akamai researcher, the first one to spot the malware, told ZDNet in a statement, “It’s using known default credentials for IoT devices to log in and kill the system.”

He added, “It’s doing this by writing random data from /dev/random to any mounted storage it finds. I see in the binary it’s calling fdisk -l which will list all disk partitions.”

He added, “It then writes random data from /dev/random to any partitions it discovers.”

It’s trashing the storage, dropping the iptables rules, removing the network configuration and then halting the device. pic.twitter.com/Ue661ku0fy
— Larry W. Cashdollar (@_larry0) June 25, 2019

It deletes the devices’ firewall rules and then removes its network config and triggers a restart, this way the devices get bricked. Victims are advised to manually reinstall the device’s firmware for recovering. This malware attack might remind you of the BrickerBot malware that ended up destroying millions of devices in 2017.

Sponsorships Available

Cashdollar told ZDNet in a statement, “It’s targeting any Unix-like system with default login credentials.” He further added, “The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS.”

This also means that this malware might affect Linux servers if they have Telnet ports open and in case they are secured with poor or widely-used credentials.

Also, as per the ZDNet report, the attacks were carried out from a VPS server that was owned by a company operating out of Iran. Cashdollar said, “It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.”

With the help of NewSky Security researcher Ankit Anubhav, ZDNet managed to reach out to the Silex malware author who goes by the pseudonym Light Leafon. According to Anubhav, Light Leafon, is a 14-year-old teenager responsible for this malware.

In a statement to Anubhav and ZDNet, he said, “The project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex.”

Light also said that he has plans for developing the Silex malware further and will add even more destructive functions. In a statement to Anubhav and ZDNet, he said, “It will be reworked to have the original BrickerBot functionality.”

He is also planning to add the ability to log into devices via SSH apart from the current Telnet hijacking capability. He plans to give the malware the ability to use vulnerabilities for breaking into devices, which is quite similar to most of the IoT botnets.

Light said, “My friend Skiddy and I are going to rework the whole bot.” He further added, “It is going to target every single publicly known exploit that Mirai or Qbot load.”

Light didn’t give any justification for his actions neither have put across any manifesto as the author of BrickerBot (goes with the pseudonym-Janit0r) did post before the BrickerBot attacks. Janit0r motivated the 2017 attacks to protest against owners of smart devices that were constantly getting infected with the Mirai DDoS malware.

In a statement to ZDNet, Anubhav described the teenager as “one of the most prominent and talented IoT threat actors at the moment.” He further added, “Its impressive and at the same time sad that Light, being a minor, is utilizing his talent in an illegal way.”

People are surprised how a 14-year-old managed to work this out and are equally worried about the consequences the kid might undergo.

A user commented on Reddit, “He’s a 14-year old kid who is a bit misguided in his ways and can easily be found. He admits to DDoSing Wix, Omegle, and Twitter for lols and then also selling a few spots on the net. Dude needs to calm down before it goes bad. Luckily he’s under 18 so really the worst that would happen in the EU is a slap on the wrist.”

Another user commented, “It’s funny how those guys are like “what a skid lol” but like … it’s a 14-year-old kid lol. What is it people say about the special olympics…”

Few others said that developers need to be more vigilant and take security seriously. Another comment reads, “Hopefully manufacturers might start taking security seriously instead of churning out these vulnerable pieces of shit like it’s going out of fashion (which it is).”

To know more about this news, check out the report by ZDNet.