Silex is a new strain of very dangerous IoT malware that was just detected by security researchers. The malware is similar to BrickerBot which attacked more than 60,000 Internet devices in several states in India.
Silex IoT Malware: What we know so far
Silex is quite destructive, and it is capable of literally destroying targeted devices. The malware was first spotted by Akamai researcher Larry Cashdollar, who says that it can trash an IoT device’s storage, drop firewall rules, remove the network configuration, and halt the device altogether. It should be noted that the IP address ,185[.]162[.]235[.]56, linked to the attacks is hosted on a VPS server owned by novinvps.com, which is operated out of Iran.
The only way for victims to recover from the attack is to manually reinstall the firmware which is not an easy task for the average consumer. That is why researchers expect that victims of Silex would probably throw away their compromised devices thinking that the devices had some kind of a hardware problem when they were attacked by Silex.
Apparently, the malware has bricked more than 2,000 devices in just a few hours. Researchers are continuing to observe new infections.
In an interview with the malware’s creator, ZDNet obtained information that the Silex attacks are going to become more frequent in the upcoming days. The number of bricked devices quickly jumped from 350 to 2000.“Attacks are still ongoing, and according to an interview with the malware’s creator, they are about to intensify in the coming days,” ZDNet said.
Another researcher, Ankit Anubhav was successfully traced Silex’s creator to confirm that the malware was specifically designed to brick the compromised IoT devices. It is curious to note that Anubhav thinks that the malware was developed by a teenager using the nickname Light Leafon who allegedly developed another IoT botnet known as ITO.
As for Akamai’s Cashdollar, he believes that the malware is using a list of known default credentials in the attempt to log in and carry out its malicious activities. Silex writes random data from /dev/random to any mounted storage it finds. “I see in the binary it’s calling fdisk -l which will list all disk partitions. It then writes random data from /dev/random to any partitions it discovers,” Cashdollar explained.
Its malicious capabilities include deleting network settings and other data found on the device, and then flushing all iptables entries before halting or rebooting the device. What is worse is that Silex may also be capable of bricking Linux servers with Telnet ports open and with known credentials in place. The motivation behind the attacks remains unknown.