Skip to main content

IoT malware begins to show destructive behavior

Hackers have started adding data-wiping routines to malware that's designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.
Researchers from Palo Alto Networks found a new malware program dubbed Amnesia that infects digital video recorders through a year-old vulnerability. Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it's running inside a virtualized environment.
The malware performs some checks to determine whether the Linux environment it's running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots.
Virtual machine detection has existed in Windows malware programs for years, but this is the first time when this feature has been observed in malware built for Linux-based embedded devices. If Amnesia detects the presence of a virtual machine it will attempt to wipe critical directories from the file system using the Linux "rm -rf" shell command in order to destroy any evidence they might have collected.
Meanwhile, researchers from security services provider Radware discovered a different malware attack, aimed at IoT devices, that they've dubbed BrickerBot. This attack is launched from compromised routers and wireless access points against other Linux-based embedded devices.
The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device's mounted partitions. It also attempts to kill the internet connection and render the device unusable.
While some devices might survive the attack because they use read-only partitions, many won't and will need a firmware reflash. Also, any configurations will likely be lost and, in the case of routers with USB ports or network attached storage devices, data from external hard drives might also be wiped.
In fact, one of the BrickerBot attack variations is not even limited to embedded and IoT devices and will work on any Linux-based system that is accessible over Telnet, if it has weak or default credentials.
It's not clear what is the goal behind the BrickerBot attacks. The malware's creator might be someone who wants to disable vulnerable devices on the Internet so they cannot be infected and abused by other hackers.
Some of the largest distributed denial-of-service (DDoS) attacks observed over the past year have originated from botnets made up of hacked IoT devices, so the intention might be to force users to take action and fix or replace their vulnerable devices.
Most users are unlikely to ever know if their routers, IP cameras, or network-attached storage systems are infected with malware and are being used in DDoS attacks, because the impact on their performance might be unnoticeable. However, they will immediately know that something is wrong if they're hit by BrickerBot because their devices will stop working and many of them will likely require manual intervention to fix.
The Amnesia bot is a very good example of how vulnerabilities can linger on for years in embedded devices without getting patched. The flaw exploited by the malware to propagate was disclosed more than a year ago and affects more than 70 brands of digital video recorders (DVRs) -- the systems that record video streams from CCTV cameras.
The reason why so many DVR models were affected is that the companies selling them under different brands actually sourced the hardware and the firmware from the same original equipment manufacturer (OEM) in China, a company called Shenzhen TVT Digital Technology.
This so-called "white labeling" practice is common for many IoT devices, including IP cameras and routers, and it makes the distribution of security patches to affected devices very hard. It's also one of the reasons why many such devices don't have automatic updates.
At the moment, there are more than 227,000 DVRs around the world that have this vulnerability and are directly exposed to the internet, according to Palo Alto Networks. The largest number of them are in Taiwan, the United States, Israel, Turkey, and India.
When buying a camera, router, NAS system, or other IoT device, users should look at the manufacturer's security track record: Does the company have a dedicated point of contact for security issues? How has it handled vulnerabilities in its products in the past? Does it publish security advisories? Does it regularly release security patches? Does it support its products for a reasonable amount of time? Do the products have an automatic update feature?
The answers to these questions should inform buying decisions, in addition to the price itself, because all software has flaws, and vulnerabilities are regularly found in both cheap and expensive devices. It's how manufacturers deal with those flaws that really makes a difference.

Comments

Popular posts from this blog

Problem: Date Formatting cannot be Changed in Microsoft Excel

In this article, we will learn how to change the date formatting. We will use “Text to Column” wizard to resolve the problem of change the date formatting in Microsoft Excel. Let’s understand the functions: - Text to Column:  “Text to Column” is used for separating the cell content which is depending on the way your data is arranged. You can divide the data on the basis of content in the cell such as space, comma, period, semicolon, etc. Let’s take an example and understand how we can convert the date into Text. We have dates, foramatted as text in column A. Now, we want to convert it into date format.     If we want to convert the formatting into numbers, then we need to follow below given steps:- Select the range A2:A11. Go to Data tab, and click on Text to Columns from the Data tools group.     Covert Text to Columns Wizard – Step1 of 3 dialog box will appear. Select fixed width, and click on Next button.     Skip step-2, and...
How To Remove Gphone Virus Well gphone.exe is nowadays one of the most dangerous virus spreading very rapidly. It is a Trojan and changes your IE homepage and sends tries to open gtalk and yahoo messenger. It even sends messages to gtalk contacts. Its icon is just like that of folder icon and people thinking of folder click on it get infected by the virus. Gphone virus basically is a 260 kb .exe file which looks like a folder and it can take any name of any other folder if you have clicked on the virus folder which looks like a folder but it is not. If you have a folder name ―movies‖ in your D drive it will make a exe file in the folder named movies.exe and if you click on that exe file it too work as a virus. It makes .exe files in all the folders you have with the name of the folder. How to remove this virus Method 1 1. Go to Task Manager then Processes and then click on gphone.exe and click on end process. 2. Manually go to folder where gphone.exe is present and delete it. 3...