IoT malware starts showing destructive behavior

Hackers have started adding data-wiping routines to malware that's designed to infect internet-of-things and other embedded devices. Two attacks observed recently displayed this behavior but likely for different purposes.

Researchers from Palo Alto Networks found a new malware program dubbed Amnesia that infects digital video recorders through a year-old vulnerability. Amnesia is a variation of an older IoT botnet client called Tsunami, but what makes it interesting is that it attempts to detect whether it's running inside a virtualized environment.

The malware performs some checks to determine whether the Linux environment it's running in is actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments are used by security researchers to build analysis sandboxes or honeypots.

Virtual machine detection has existed in Windows malware programs for years, but this is the first time when this feature has been observed in malware built for Linux-based embedded devices. If Amnesia detects the presence of a virtual machine it will attempt to wipe critical directories from the file system using the Linux "rm -rf" shell command in order to destroy any evidence they might have collected.

Meanwhile, researchers from security services provider Radware discovered a different malware attack, aimed at IoT devices, that they've dubbed BrickerBot. This attack is launched from compromised routers and wireless access points against other Linux-based embedded devices.

The malware attempts to authenticate with common username and password combinations on devices that have the Telnet service running and are exposed to the internet. If successful, it launches a series of destructive commands intended to overwrite data from the device's mounted partitions. It also attempts to kill the internet connection and render the device unusable.

While some devices might survive the attack because they use read-only partitions, many won't and will need a firmware reflash. Also, any configurations will likely be lost and, in the case of routers with USB ports or network attached storage devices, data from external hard drives might also be wiped.

In fact, one of the BrickerBot attack variations is not even limited to embedded and IoT devices and will work on any Linux-based system that is accessible over Telnet, if it has weak or default credentials.

It's not clear what is the goal behind the BrickerBot attacks. The malware's creator might be someone who wants to disable vulnerable devices on the Internet so they cannot be infected and abused by other hackers.

Some of the largest distributed denial-of-service (DDoS) attacks observed over the past year have originated from botnets made up of hacked IoT devices, so the intention might be to force users to take action and fix or replace their vulnerable devices.

Most users are unlikely to ever know if their routers, IP cameras, or network-attached storage systems are infected with malware and are being used in DDoS attacks, because the impact on their performance might be unnoticeable. However, they will immediately know that something is wrong if they're hit by BrickerBot because their devices will stop working and many of them will likely require manual intervention to fix.

The Amnesia bot is a very good example of how vulnerabilities can linger on for years in embedded devices without getting patched. The flaw exploited by the malware to propagate was disclosed more than a year ago and affects more than 70 brands of digital video recorders (DVRs) -- the systems that record video streams from CCTV cameras.

The reason why so many DVR models were affected is that the companies selling them under different brands actually sourced the hardware and the firmware from the same original equipment manufacturer (OEM) in China, a company called Shenzhen TVT Digital Technology.

This so-called "white labeling" practice is common for many IoT devices, including IP cameras and routers, and it makes the distribution of security patches to affected devices very hard. It's also one of the reasons why many such devices don't have automatic updates.

At the moment, there are more than 227,000 DVRs around the world that have this vulnerability and are directly exposed to the internet, according to Palo Alto Networks. The largest number of them are in Taiwan, the United States, Israel, Turkey, and India.

When buying a camera, router, NAS system, or other IoT device, users should look at the manufacturer's security track record: Does the company have a dedicated point of contact for security issues? How has it handled vulnerabilities in its products in the past? Does it publish security advisories? Does it regularly release security patches? Does it support its products for a reasonable amount of time? Do the products have an automatic update feature?

The answers to these questions should inform buying decisions, in addition to the price itself, because all software has flaws, and vulnerabilities are regularly found in both cheap and expensive devices. It's how manufacturers deal with those flaws that really makes a difference.