The author of BrickerBot, which “bricks” IoT devices by rewriting the flash storage space and wiping files, has emerged to explain that the malware first attempts to secure the units without damaging them.
Failing that, it reverts to “plan B”, i.e. actions that result in the device being rendered temporarily or permanently unusable.
He also claims that since the malware was deployed – sometime before January 2017 – it has bricked over two million of IoT devices.
“I’m by no means claiming credit for Mirai being weak in Q1/2017, but if Imeij and Amnesia have suffered a little recently then it’s probably mainly my fault,” he says.
The BrickerBot author explains himself
Janit0r, as he called himself on Hack Forums (and which he claims to have joined to see if his activities “had been noticed by the botnet kids”), says that he disseminated the malware in an attempt to make the creation of million-device botnets more difficult.
“Besides getting the number of IoT DDoS bots to a manageable level my other key goal has been to raise awareness. The IoT problem is much worse than most people think, and I have some alarming stories to tell,” he shared with Catalin Cimpanu.
“Like so many others I was dismayed by the indiscriminate DDoS attacks by IoT botnets in 2016. I thought for sure that the large attacks would force the industry to finally get its act together, but after a few months of record-breaking attacks it became obvious that in spite of all the sincere efforts the problem couldn’t be solved quickly enough by conventional means,” he explained the frustration that lead to the creation and deployment of the malware.
“I hope the unconventional actions by ‘BrickerBot’ have helped in buying another year of time for governments, vendors and the industry in general to get the current IoT security nightmare under control,” he noted. “At least with ‘BrickerBot’ there was some brief hope that such dangerous devices could become the merchant’s and manufacturer’s problem rather than our problem.”
Despite the destructiveness of the malware, he apparently does not plan to stop his crusade for the time being. He obviously does not consider himself to be a blackhat, but likens himself to other people who have “done important things to combat IoT malware”: the Hajime worm author and the Wifatch author(s?).
We may never know who he is, as he is going to great lengths to keep his identity hidden, but his good intentions seem to be credible (even though that won’t mean much to users who’s devices were hit). According to Cimpanu, Janit0r has been sharing information about the malware with various CERTs (security researcher Victor Gevers acted as a intermediary).
ICS-CERT has recently published an alert regarding the threat, and have advised users to change their device’s device’s factory default credentials and disable Telnet access to it in order to keep secure. They are also working to identify vendors of affected IoT devices in order to collect product-specific mitigations and compensating controls.