According to research by Larry Cashdollar of Akamai, there is a new malware that is bricking IoT devices with default credentials. The malware, dubbed Silex and created by teenage hackers in the EU, was caught in a honeypot set up by the researcher. These three hackers go by the aliases of Light The Leafon/Light The Sylveon, Alx, and Skiddy, according to research by Ankit Anubhav.
The mechanics of Silex are explained by Cashdollar as follows:
Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk partitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers... Based on code examinations, it is possible that Silexbot uses an alternative method of discovery if the fdisk command isn’t available. While we have not seen concrete proof of this code functioning, within the binary the commands exist for Silexbot to read mounted file systems from /proc/mounts and write to them using mtd_write:... Then it deletes network configurations, flushes iptables and adds an additional rule that DROPS all connections, before finally halting the device... Silexbot also uses rm -rf /, which will delete anything it has missed... Finally, Silexbot will halt and reboot the device.
The creation of Silex has, at least according to the statements made by the main hacker Light The Leafon/Light The Sylveon, a somewhat noble goal. Ankit Anubhav was able to secure an interview with the teenager on his podcast. In the interview, the teenage hacker said that he wanted to brick devices that script kiddies were attempting to take control of for monetary reasons. Due to the heat he was getting as a result of published research, however, the teen hacker said that he is “leaving the community because” he “never wanted this clout.”
It appears that Light The Leafon/Light The Sylveon was telling the truth as the command-and-control server associated with Silex has been shut down. This does not mean that the damage is no longer an issue, however, as Bleeping Computer’s Ionut Ilascu notes that Silex is still continuing destruction routines on the already infected IoT devices.
Featured image: Pixabay