Brickerbot: and You will know It by the Trail of Linux Devices

In-brief: new botnets, dubbed “Brickerbot” were first spotted in recent weeks conducting what Radware termed “permanent denial of service” attacks: compromising and then destroying data on vulnerable connected endpoints. 

The security firm Radware is warning about a pair of new and destructive botnets that are crippling Internet-exposed Linux devices across the globe.

The new programs, dubbed “Brickerbot” were first spotted in recent weeks conducting what Radware termed “PDoS” attacks – for “permanent denial of service.” After locating exposed Linux devices, including so-called “Internet of Things” endpoints that run Linux packages like BusyBox. The botnet mirrors many of the behaviors of the Mirai botnet, but appears to be simply destructive, seeking to wipe out vulnerable, Internet connected endpoints rather than co-opting them into a malicious botnet, as Mirai did.

Radware said it detected two variants of the BrickerBot malware, dubbed BrickerBot.1 and BrickerBot2. Both appeared within hours of each other and launched thousands of attacks against a test “honeypot” system Radware had deployed. Over a four-day period, Radware recorded 1,895 attack attempts performed from several locations around the world. The sole purpose of the attacks was to compromise the deployed Internet of Things devices and “corrupt their storage” using a series of Linux commands, Radware reported.


Get the New 2017 SANS Research Report on 'Threat Hunting' -- Written by experts from the SANS Institute, the survey reveals a number of interesting data points about the challenges and benefits of threat hunting.


Like Mirai, the Bricker Bot targeted vulnerable communications ports on deployed and Internet accessible devices. The malware, which was run from a network of compromised networking devices manufactured by Ubiquity, carried out brute force password guessing attempts on Telnet services enabled on the device. The first attempted username/password pair tried by the malware was root/root and  root/vizxv, Radware reported.

On devices that are successfully hacked, the bot performs a series of Linux commands that corrupt data stored on the device and commands that disrupt Internet connectivity and performance and then wipe all files on the device.

Devices attacked by Brickbot.1 were all running the Busybox software, a package comprising a stripped down version of the Linux operating system and utilities that is popular for use with connected “Internet of Things” devices. The targeted IoT devices all had their Telnet port open and exposed publicly on the Internet – similar to the devices targeted by Mirai or related IoT botnets.

The attacks were launched from devices connecting over the ToR anonymity network, so little is known about their real location. However, the devices launching the attack were similarly exposing port 22 (SSH) and running an older version of the Dropbear SSH server. Most of the devices were identified by Shodan as Ubiquiti network devices including wireless access points and bridges, Radware wrote.

Radware recommends that owners of potentially vulnerable devices change the device’s factory default credentials and disable Telnet access to the device to prevent attacks.

Security Ledger wants to hear your thoughts! Leave a reply.