Virtual Case Notes: BrickerBot—Destroying Your Devices for The Good of The Internet
Cybercriminals hack and infect the devices of others for a wide variety of reasons—for attention, for amusement, for monetary gain, etc. But what if a hacker not only hacked and infected your devices, but completely destroyed them—and then claimed it was for your own good?
It may sound preposterous, but this appears to be the message of a hacker known only as the “Janit0r,” who claims to have created the malicious botnet known as BrickerBot, which infects devices and—instead of stealing private data or holding them hostage to use in subsequent distributed denial of service (DDoS) attacks—destroys, or “bricks,” them, rendering them completely useless, even upon factory reset.
A DDoS attack occurs when multiple compromised devices or systems are used to flood a targeted network with an overwhelming amount of useless traffic; this interferes with the target’s ability to provide its usual services. BrickerBot performs a different kind of attack, known as permanent denial of service (PDoS), in which it exploits security flaws in order to badly damage a device’s firmware, ending its functions permanently.
“I consider my project a form of ‘Internet Chemotherapy,’” the Janit0r said in an email to cyber writer Catalin Cimpanu from Bleeping Computer. “Chemotherapy is a harsh treatment that nobody in their right mind would administer to a healthy patient, but the Internet was becoming seriously ill in Q3 and Q4/2016 and the moderate remedies were ineffective. The side effects of the treatment were harmful but the alternative (DDoS botnet sizes numbering in the millions) would have been worse.”
According to the Janit0r, a massive amount of Internet of Things (IoT) devices, such as webcams, routers, DVRs, etc., are unsecured and vulnerable to being taken over and becoming part of a larger botnet, which hackers can then use like a zombie army to launch their cyberattacks. His solution is to get a hold of the devices before anyone else can, and kill them before they are “zombified,” eliminating DDoS foot soldiers—and sending a message in the process.
“Besides getting the number of IoT DDoS bots to a manageable level, my other key goal has been to raise awareness. The IoT problem is much worse than most people think,” the hacker told Bleeping Computer.
Cyber evangelist Pascal Geenens of cybersecurity company Radware was the first to discover the botnet, using a “honeypot” technique to not only detect when attacks occur but retrieve more information about the nature of the attacks. Radware researchers built a new honeypot program from scratch, improving their ability to analyze malware.
“We programmed a chatterbot, basically a program that accepts connections and commands from bots and answers their commands with the response they expect, creating a full dialog until we trick the bot into revealing the download location of their malware binary,” Geenens told me. “For each dialog we have with a potential bot, we create a fingerprint of the commands it submits […] Using fingerprinting and checking the unique sequences our honeypots were able to identify, we found the different BrickerBot sequences.”
Geenens said BrickerBot stood out because of its intention, which could be derived from the data researchers collected through the honeypot.
“All the real intentions of [a] botnet are encapsulated in the malware binary and upon executing the binary, the malware exposes its real intentions—mostly scanning and infecting other devices and waiting for commands from the command and control (C2) server(s),” he explained. “One of the primary goals of the bots is to grow the botnet as fast and as large as possible. BrickerBot is different in the sense that the malware infects a (limited) number of IoT devices across the internet and from there, attacks other, similar, IoT devices. So instead of infecting other devices the malware could identify as victim, it is attempting to break them.”
This revelation was made by Radware researchers before the Janit0r’s self-described motives were made public. Radware released a threat alert about the newly discovered PDoS attacks on April 8, 2017—after the release of two versions of the malware. BrickerBot 1 and BrickerBot 2 were discovered as they attempted 1,900 PDoS attacks in four days.
Then, on April 21, 2017—the same day Bleeping Computer published the Janit0r’s emails—Geenens announced the discovery of two new versions—BrickerBots 3 and 4.
“BrickerBot 4 was an isolated case—a single device with the same attack for 90 times. BrickerBot 3 was very similar to 1, only it was much more intense,” Geenens told me. “BrickerBot 1 executed 1,895 attempts in a period of almost 5 days while BrickerBot 3 performed 1,293 attempts in less than 12 hours.”
According to Geenens, this suggests a renewed effort to destroy more unsecured IoT devices.
How to Stay Safe from BrickerBot
What devices might be affected by this attack, and what can users do to protect their own devices from being “bricked”?
BrickerBot is targeting internet protocol (IP) cameras—such as those used for surveillance—digital video recorders (DVRs), network video recorders (NVRs), modems, internet service providers (ISPs) and residential routers, according to Geenens.
“The Janitor claims to have already bricked over 2 million devices on the internet since Nov 2016. The number is likely over-estimated, but it is quite possible that this occurrence has been happening for some time now but no one realized it was BrickerBot. It is very possible users would think this was a failure of the device itself, and not an external attacker breaking it.”
Geenens said that most ISPs would be able to block infection by BrickerBot, but that consumers can stay secure by disabling telnet—the protocol that allows remote communication with a device through a network—or changing the default credentials on a device, keeping up-to-date on devices’ firmware by installing all of the most recent patches, rebooting any IoT device before connecting it to a home network, and never connecting camera devices to unprotected public networks, as this can open them up to many kinds of malware, including BrickerBot.
“It is important to note that telnet is just one possible way of exploiting devices. Lots of devices have been found vulnerable to many different exploits,” Geenens said. “Hackers read these reports and add new exploits to their malware. Updating firmware is incredibly important for staying protected not only now but also and especially in the future.”
As for the Janit0r’s vigilante motives, Geenens says he acknowledges the same “huge IoT security problems” that the hacker seeks to bring awareness to, but that the so-called chemotherapy approach is “aggressive and destructive, causing more harm to consumers than good.”
“There is no control on what gets destroyed—what if devices from critical infrastructure get in the crosshairs of BrickerBot? Or medical devices or emergency services devices get bricked?” Geenens said. “These devices need to be secured in the first place, but in its aggressive nature, BrickerBot has the potential to cause major disasters or create life-threatening situations.”