Binary code and cybersecurity
A mysterious attacker is using malware to damage unsecured IoT devices so that they cannot be used anymore iStock

Cybersecurity researchers have detected a particularly nasty new breed of malware that deliberately attacks vulnerable Internet of Things (IoT) devices and completely destroys them so they can never be used again.

Researchers from the cybersecurity firm Radware say that in March, their honeypot servers detected 1,895 attempts made by malware known as BrickerBot.1 and BrickerBot.2 to hack into unsecured smart internet-enabled devices to damage their systems.

The firm calls this a Permanent Denial of Service (PDoS) attack, due to the harsh nature of the attack. The malware first uses a brute-force attack to figure out which devices have Telnet port 22 left open accidentally due to misconfigurations, as well as which devices are susceptible to security vulnerabilities.

Meddling with kernel settings

The malware finds its way into the system and then performs a series of Linux commands in order to corrupt the device's flash storage, before deliberately messing with settings in the kernel.

By reconfiguring the kernel's parameters, the malware tries to disrupt the device's internet connectivity, before wiping all the files on the device and then setting the kernel threads to just one. Typically, in an ARM processor-powered device, there are usually tens of thousands of threads running, so if you set the threads to one, then all the kernel's operations will immediately stop.

After making all of these changes to the device, the malware forces the device to reboot, which sets these settings in stone and renders the device useless, meaning that all the affected devices will need to have their firmware reinstalled, or worse, the owner of the device will need to buy a new one.

According to the researchers, the affected devices are all running an older version of the Dropbear SSH server. Some of the devices are Ubiquiti Networks devices, with some being access points and bridges with beam directivity.

The attacker is hiding behind Tor nodes

"The source IP addresses from these attempts are Tor nodes and hence there is no identifying the actual source of the attacks. It is worth noting that these attacks are still ongoing and the attacker/author is using Tor egress nodes to conceal its bot(s)," the researchers write in their blog post.

What makes this malware attack so interesting is the fact that there is nothing in it for the attackers. Typically cybercriminals develop malware so that they can steal personal details in order to steal money, or hijack PCs using ransomware to demand money. Destroying the devices just means that they won't work anymore.

It looks like the malware is the work of some kind of vigilante that does not have altruistic or profit-related motives, but simply wants to cause chaos. While the incidents clearly highlight the fragility of IoT security, this is dangerous and could be just beginning of something far worse to come.