Akamai researcher Larry Cashdollar discovered a new piece of the Silex malware that is bricking thousands of
Cashdollar explained that the Silex malware trashes the storage of the infected devices, drops firewall rules and wipe network configurations before halting the system.
The only way to recover infected devices is to manually reinstall the device’s firmware.
Silex is not the first IoT malware with this behavior, back in 2017 BrickerBot bricked millions of devices worldwide.
According to ZDnet that interviewed the malware’s creator, the attacks are about to intensify in the coming days.
“The malware had bricked around 350 devices when this reporter began investigating its operations, and the number quickly spiked to 2,000 wiped devices by the time we published, an hour later.” reported ZDnet.
“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days.”
The researcher Ankit Anubhav was also able to trace the attacker and confirmed that the bot was developed to brick the infected IoT devices.
Anubhav believes that the Silex malware was developed by a teenager using the online moniker of Light Leafon. The same guy has also created the ITO IoT botnet,
According to Cashdollar, the Silex malware uses a list of known default credentials for
“I see in the binary it’s calling fdisk -l which will list all disk partitions,” Cashdollar told ZDNet. “It then writes random data from /dev/random to any partitions it discovers.”
The malware also deletes network settings and any other data on the device, then it flushes all iptables entries before halting or rebooting the device.
The IoT malware is targeting any Unix-like system with default login credentials, according to Cashdollar it leverages a Bash shell version to target any architecture running a Unix like OS.
The malware could brick Linux servers having Telnet ports open that use known credentials.
The IP address (185[.]162[.]235[.]56) behind the attacks observed by the experts is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.
According to Ankit Anubha who spoke with the author of the malware, the developer has definitively abandoned the HITO botnet for Silex and plans to implement other destructive features (SSH hijacking capability, add exploits into Silex).
At the time it is not clear the Light’s motivation for these attacks, let’s hope he will use his talent for legal and good projects.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.