Permanent Denial Of Service Attack

Permanent.  As in dead.

Researchers at Radware have discovered malware in the wild that seems to be a variant of the Mirai botnet from a few months ago.  Like Mirai, it goes after poorly secured Linux based network devices like routers.

Only this time, when it finds one, it kills it.  As in dead.  As in time to buy a new one.

The malware, named BrickerBot.1 and later BrickerBot.2 find network devices that have the factory default passwords left in them after they were connected to the Internet or other default ways in like hard coded telnet passwords with telnet enabled.

This seems to be a work in progress since BrickerBot.2 attacks a much wider range of devices than BrickerBot.1.

But what it does after it find a device is what counts.

It corrupts the memory of the device, meaning it won’t boot any more.

It removes the Internet gateway address from the device, so it won’t connect to the Internet.

It limits the number of Linux kernel threads to 1, which means only one thing can occur in the operating system at a time.  Typically, depending on the computer, you might have 10, 20 or more processes running concurrently.

The net effect of this is that without a whole lot of work, which most users are not sufficiently skilled to do, the only thing a user can do it put the device in the trash and buy another one.

If they do buy another one and don’t change the default password, it could get hit again.

If you assume this warped person is motivated to get people to be more security conscious (if you wind up having to replace your Internet router 2, 3, or 4 times, after a while you will probably think that it is time to improve your security), that is certainly a possibility.

Another possibility is that the person or persons is just trying to create a little chaos.

What this weirdo is definitely doing is creating a new acronym.  Like DoS and DDoS (Denial of Service and Distributed Denial of Service), this person is creating a PDoS – a Permanent Denial of Service.

In March the folks at Radware built a honeypot for this malware and it was attacked 2,250 times over a FOUR day period.  In Internet terms, 2,250 is a minor annoyance that no one is going to worry about.

However, if the hacker is still in the development stage and was just testing it, things could get very interesting if and when the hacker goes into “production” mode.

This is all speculation at this point.  What the researchers did see is that the 2,250 attacks came from all over the world.  This is an indication of someone who is building something to scale up and be hard to stop.

Lets say you have a thousand servers scattered across the globe (of course, they are all servers that have been hacked) in lots of countries including ones not friendly to us and it decides to start hunting for these poorly configured devices and killing them, it could, potentially, take out – as in PERMANENTLY take out – a million devices before anyone is much the wiser, never mind understands what it is doing and how to stop a thousand – or maybe ten thousand – servers across the globe.

Let’s hope that is not the plan.  But just in case, make sure that you have disabled the default passwords and turned off unneeded services like telnet and SSH.

If not, you, too, could be the owner of a bright, shiny, tech-brick.  A new term I just invented.

Information for this post came from Ars Technica.

Leave a Reply

Your email address will not be published.