BrickerBot

Last updated July 11, 2023

BrickerBot was malware that attempted to permanently destroy ("brick") insecure Internet of Things devices. BrickerBot logged into poorly-secured devices and ran harmful commands to disable them. It was first discovered by Radware after it attacked their honeypot in April 2017. On December 10, 2017, BrickerBot was retired.

Discovery

BrickerBot.1 and BrickerBot.2

The BrickerBot family of malware was first discovered by Radware on April 20, 2017, when BrickerBot attacked their honeypot 1,895 times over four days. BrickerBot's method of attack was to brute-force the telnet password, then run commands using BusyBox to corrupt MMC and MTD storage, delete all files, and disconnect the device from the Internet. Less than an hour after the initial attack, bots began sending a slightly different set of malicious commands, indicating a new version, BrickerBot.2. BrickerBot.2 used the Tor network to hide its location, did not rely on the presence of busybox on the target, and was able to corrupt more types of storage devices.^[2]

BrickerBot.3 and BrickerBot.4

BrickerBot.3 was detected on May 20, 2017, one month after the initial discovery of BrickerBot.1. On the same day, one device was identified as a BrickerBot.4 bot. No other instances of BrickerBot.4 were seen since.^[3]

Shutdown and Impact

According to Janit0r, the author of BrickerBot, it destroyed more than ten million devices before Janit0r announced the retirement of BrickerBot on December 10, 2017.^[4] In an interview with Bleeping Computer , Janit0r stated that BrickerBot was intended to prevent devices from being infected by Mirai.^[5]^[6] US-CERT released an alert regarding BrickerBot on April 12, 2017.^[7]

Related Research Articles

<span class="mw-page-title-main">Malware</span> Malicious software

Malware is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, deprive access to information, or which unknowingly interferes with the user's computer security and privacy. Researchers tend to classify malware into one or more sub-types.

In computing, a denial-of-service attack is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization often uses and infects one or more of them with malware. Eventually, some member of the targeted group will become infected. Hacks looking for specific information may only attack users coming from a specific IP address. This also makes the hacks harder to detect and research. The name is derived from predators in the natural world, who wait for an opportunity to attack their prey near watering holes.

Bleeping Computer is a website covering technology news and offering free computer help via its forums that was created by Lawrence Abrams in 2004. It publishes news focusing heavily on cybersecurity, but also covers other topics including computer software, computer hardware, operating system and general technology.

Zeus, ZeuS, or Zbot is a Trojan horse malware package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek. Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.

Flame, also known as Flamer, sKyWIper, and Skywiper, is modular computer malware discovered in 2012 that attacks computers running the Microsoft Windows operating system. The program is used for targeted cyber espionage in Middle Eastern countries.

Shamoon, also known as W32.DistTrack, is a modular computer virus that was discovered in 2012, targeting then-recent 32-bit NT kernel versions of Microsoft Windows. The virus was notable due to the destructive nature of the attack and the cost of recovery. Shamoon can spread from an infected machine to other computers on the network. Once a system is infected, the virus continues to compile a list of files from specific locations on the system, upload them to the attacker, and erase them. Finally the virus overwrites the master boot record of the infected computer, making it unusable.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

<span class="mw-page-title-main">Itzik Kotler</span>

Itzik Kotler is an Israeli entrepreneur, inventor, and information security specialist who is the co-founder and CTO of SafeBreach, an Israeli cybersecurity firm. Kotler was previously the Security Operation Center Team Leader at Tel Aviv-based Radware. He has given multiple talks at DEF CON, the world's largest hacker convention.

BASHLITE is malware which infects Linux systems in order to launch distributed denial-of-service attacks (DDoS). Originally it was also known under the name Bashdoor, but this term now refers to the exploit method used by the malware. It has been used to launch attacks of up to 400 Gbps.

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

<span class="mw-page-title-main">Vault 7</span> CIA files on cyber war and surveillance

Vault 7 is a series of documents that WikiLeaks began to publish on 7 March 2017, detailing the activities and capabilities of the United States Central Intelligence Agency (CIA) to perform electronic surveillance and cyber warfare. The files, dating from 2013 to 2016, include details on the agency's software capabilities, such as the ability to compromise cars, smart TVs, web browsers, and the operating systems of most smartphones, as well as other operating systems such as Microsoft Windows, macOS, and Linux. A CIA internal audit identified 91 malware tools out of more than 500 tools in use in 2016 being compromised by the release. The tools were developed by the Operations Support Branch of the C.I.A.

Code Shikara is a computer worm, related to the Dorkbot family, that attacks through social engineering.

Industroyer is a malware framework considered to have been used in the cyberattack on Ukraine’s power grid on December 17, 2016. The attack cut a fifth of Kyiv, the capital, off power for one hour and is considered to have been a large-scale test. The Kyiv incident was the second cyberattack on Ukraine's power grid in two years. The first attack occurred on December 23, 2015. Industroyer is the first ever known malware specifically designed to attack electrical grids. At the same time, it is the fourth malware publicly revealed to target industrial control systems, after Stuxnet, Havex, and BlackEnergy.

Hajime is a malware which appears to be similar to the Wifatch malware in that it appears to attempt to secure devices. Hajime is also far more advanced than Mirai, according to various researchers.

Havex malware, also known as Backdoor.Oldrea, is a RAT employed by the Russian attributed APT group “Energetic Bear” or “Dragonfly." Havex was discovered in 2013 and is one of five known ICS tailored malware developed in the past decade. These malwares include Stuxnet, BlackEnergy, Industroyer/CRASHOVERRIDE, and TRITON/TRISIS. Energetic Bear began utilizing Havex in a widespread espionage campaign targeting energy, aviation, pharmaceutical, defense, and petrochemical sectors. The campaign targeted victims primarily in the United States and Europe.

Misfortune Cookie is a computer software vulnerability found in the firmware of certain network routers which can be leveraged by an attacker to gain access remotely. The vulnerability has been detected to have affected around 12 million unique devices spread across 189 countries, earning itself a 9.8 Tyne CVSS rating. Any device connected to an exposed network could be hijacked by an attacker who could easily monitor a person's Internet connection or steal their credentials as well as personal or business data. They could also attempt to infect the target machines with malware. Otherwise known as CVE-2014-9222, the bug was first discovered in 2014 by Check Point researchers. It returned again in 2018, four years after its public disclosure, but this time, affecting a completely different set of targets, aka medical devices. When the vulnerability was applied to medical attacks, the DTS configurations could be tampered with, communication could be spoofed, and information could be stolen from an unsuspecting person.

<span class="mw-page-title-main">Web shell</span> Interface enabling remote access to a web server

A web shell is a shell-like interface that enables a web server to be remotely accessed, often for the purposes of cyberattacks. A web shell is unique in that a web browser is used to interact with it.

Trickbot is computer malware, a trojan for the Microsoft Windows and other operating systems, and the cybercrime group behind this. Its major function was originally the theft of banking details and other credentials, but its operators have extended its capabilities to create a complete modular malware ecosystem. The Trickbot cybercrime organization is large and well-organized, with possible connections to Russian intelligence agencies.

References

↑ "BrickerBot: "The Doctor's" PDoS Attack Has Killed Over 2 Million Insecure Devices". Fossbytes. April 25, 2017.
↑ ""BrickerBot" Results In PDoS Attack". Radware. April 5, 2017. Retrieved February 26, 2018.
↑ "BrickerBot PDoS Attack: Back With A Vengeance". Radware. April 21, 2017. Retrieved February 26, 2018.
↑ Shattuck, Justin (December 28, 2017). "BrickerBot: Do "Good Intentions" Justify the Means—or Deliver Meaningful Results?". F5 Labs. Retrieved January 21, 2019.
↑ Cimpanu, Catalin (December 11, 2017). "BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices". BleepingComputer. Retrieved August 4, 2018.
↑ Olenick, Doug (December 12, 2017). "BrickerBot creators announce retirement from active operations". SC Media US. Retrieved August 4, 2018.
↑ "BrickerBot Permanent Denial-of-Service Attack (Update A) | ICS-CERT". ICS-CERT. April 18, 2017. Retrieved February 26, 2018.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "BrickerBot: "The Doctor's" PDoS Attack Has Killed Over 2 Million Insecure Devices". Fossbytes. April 25, 2017.

[2] ""BrickerBot" Results In PDoS Attack". Radware. April 5, 2017. Retrieved February 26, 2018.

[3] "BrickerBot PDoS Attack: Back With A Vengeance". Radware. April 21, 2017. Retrieved February 26, 2018.

[4] Shattuck, Justin (December 28, 2017). "BrickerBot: Do "Good Intentions" Justify the Means—or Deliver Meaningful Results?". F5 Labs. Retrieved January 21, 2019.

[5] Cimpanu, Catalin (December 11, 2017). "BrickerBot Author Retires Claiming to Have Bricked over 10 Million IoT Devices". BleepingComputer. Retrieved August 4, 2018.

[6] Olenick, Doug (December 12, 2017). "BrickerBot creators announce retirement from active operations". SC Media US. Retrieved August 4, 2018.

[7] "BrickerBot Permanent Denial-of-Service Attack (Update A) | ICS-CERT". ICS-CERT. April 18, 2017. Retrieved February 26, 2018.

[1]

[2]

[3]

[4]

[5]

[6]

[7]