Every hour of every day, computer systems and IoT devices are under attack by bots trying to recruit them into growing botnets. Security researchers have recently highlighted two of these threats coming after Linux- and BusyBox-based systems and devices.
A year after security researcher Rotem Kerner discovered a remote code execution vulnerability that affected digital video recorders (DVRs) manufactured by Chinese company TVT Digital and sold by more than 70 different vendors around the world, vulnerable devices are still online, unpatched, and are being actively conscripted into a botnet.
The botnet was named Amnesia by Palo Alto Networks researchers, after the eponymous malware that executes the compromise.
The Amnesia malware is a newer variant of another Linux malware called “Tsunami”, and the researchers believe it to be the first Linux malware to adopt virtual machine evasion techniques to defeat malware analysis sandboxes.
If it detects a virtual machine, Amnesia will first delete itself, and then try to delete several directories on it (including the Linux root one).
“We believe the author of Amnesia was aiming to defeat Linux-based malware analysis sandboxes and to cause trouble for security researchers due to a hard-coded but otherwise useless string in the code: ‘fxxkwhitehats’,” the researchers noted.
“However, VM based sandboxes typically have system snapshot enabled, allowing for quick recovery to the original state (the sample’s analysis task may be ruined though). The impact will be limited in these cases. The real problem is, if the malware infected some QEMU based Linux server instances, such as virtual hosts provided by VPS vendors, the Linux server will also be wiped, which could be catastrophic if back-ups are not available.”
According to them, the Amnesia botnet is currently dormant, but it can spring into action at any time, and more than likely be used for DDoS attacks.
The researchers scanned the Internet for vulnerable and exposed DVR devices, and found approximately 227,000 of them, located around the world. “To date, we have been unable to find any patch released by the vendors or the manufacturer to address the vulnerability,” they noted.
So, users can’t do much to protect their devices, apart from removing them from the Internet. Organizations can move to block traffic to Amnesia’s command and control servers (IOCs have been provided).
The only good news is that the malware relies on hard-coded C&C addresses, so simply blocking the bots’ access to them will stop a new Mirai-type attack if it’s initiated.
Another, more destructive piece of malware is after BusyBox-based IoT devices and Linux systems that have their Telnet port open and are exposed on the Internet.
BrickerBot does not exploit a vulnerability in the devices to gain control of them – instead, it tries to brute force its way by attempting different username/password pairs.
The malware was flagged by Radware, as their honeypot devices were bombarded with attacks from two different botnets: BrickerBot.1 and BrickerBot.2.
BrickerBot.1 searches for devices using two types of flash storage, BrickerBot.2 targets a wider array of storage devices.
If they succeed gain administrative control of a device, they perform a series of Linux commands aimed at corrupting storage, disrupting Internet connectivity and device performance, and wiping all files on it.
“Both PDoS [Permanent Denial-of-Service] attacks started the same day and approximately the same time: March 20, 2017 9.51PM CET vs March 20, 2017 9.10PM CET. While the first PDoS attacks from BrickerBot.1 have stopped, the attacks from BrickerBot.2, which are less dense but better concealed using TOR egress nodes, are still active and ongoing,” the researchers noted.
Why the botnets’ masters want to effectively cripple these devices is unknown.
Users can protect their devices and systems by disabling Telnet access and changing the device’s factory default credentials.