IoT malware starts showing destructive behavior

Researchers have observed attacks against IoT devices that wipe data from infected systems

Hackers have started adding data-wiping routines to malware that's designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.

Researchers from Palo Alto Networks found a new malware program dubbed Amnesia that infects digital video recorders through a year-old vulnerability. Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it's running inside a virtualized environment.

The malware performs some checks to determine whether the Linux environment it's running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots.

Virtual machine detection has existed in Windows malware programs for years, but this is the first time when this feature has been observed in malware built for Linux-based embedded devices. If Amnesia detects the presence of a virtual machine it will attempt to wipe critical directories from the file system using the Linux "rm -rf" shell command in order to destroy any evidence they might have collected.

Meanwhile, researchers from security services provider Radware discovered a different malware attack, aimed at IoT devices, that they've dubbed BrickerBot. This attack is launched from compromised routers and wireless access points against other Linux-based embedded devices.

The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device's mounted partitions. It also attempts to kill the internet connection and render the device unusable.

While some devices might survive the attack because they use read-only partitions, many won't and will need a firmware reflash. Also, any configurations will likely be lost and, in the case of routers with USB ports or network attached storage devices, data from external hard drives might also be wiped.

In fact, one of the BrickerBot attack variations is not even limited to embedded and IoT devices and will work on any Linux-based system that is accessible over Telnet, if it has weak or default credentials.

It's not clear what is the goal behind the BrickerBot attacks. The malware's creator might be someone who wants to disable vulnerable devices on the Internet so they cannot be infected and abused by other hackers.

Some of the largest distributed denial-of-service (DDoS) attacks observed over the past year have originated from botnets made up of hacked IoT devices, so the intention might be to force users to take action and fix or replace their vulnerable devices.

Most users are unlikely to ever know if their routers, IP cameras, or network-attached storage systems are infected with malware and are being used in DDoS attacks, because the impact on their performance might be unnoticeable. However, they will immediately know that something is wrong if they're hit by BrickerBot because their devices will stop working and many of them will likely require manual intervention to fix.

The Amnesia bot is a very good example of how vulnerabilities can linger on for years in embedded devices without getting patched. The flaw exploited by the malware to propagate was disclosed more than a year ago and affects more than 70 brands of digital video recorders (DVRs) -- the systems that record video streams from CCTV cameras.

The reason why so many DVR models were affected is that the companies selling them under different brands actually sourced the hardware and the firmware from the same original equipment manufacturer (OEM) in China, a company called Shenzhen TVT Digital Technology.

This so-called "white labeling" practice is common for many IoT devices, including IP cameras and routers, and it makes the distribution of security patches to affected devices very hard. It's also one of the reasons why many such devices don't have automatic updates.

At the moment, there are more than 227,000 DVRs around the world that have this vulnerability and are directly exposed to the internet, according to Palo Alto Networks. The largest number of them are in Taiwan, the United States, Israel, Turkey, and India.

When buying a camera, router, NAS system, or other IoT device, users should look at the manufacturer's security track record: Does the company have a dedicated point of contact for security issues? How has it handled vulnerabilities in its products in the past? Does it publish security advisories? Does it regularly release security patches? Does it support its products for a reasonable amount of time? Do the products have an automatic update feature?

The answers to these questions should inform buying decisions, in addition to the price itself, because all software has flaws, and vulnerabilities are regularly found in both cheap and expensive devices. It's how manufacturers deal with those flaws that really makes a difference.

Join the PC World newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Lucian Constantin

IDG News Service
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Matthew Stivala

HP OfficeJet 250 Mobile Printer

The HP OfficeJet 250 Mobile Printer is a great device that fits perfectly into my fast paced and mobile lifestyle. My first impression of the printer itself was how incredibly compact and sleek the device was.

Armand Abogado

HP OfficeJet 250 Mobile Printer

Wireless printing from my iPhone was also a handy feature, the whole experience was quick and seamless with no setup requirements - accessed through the default iOS printing menu options.

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?