IoT malware wipes data from infected systems

Hackers have started incorporating data-wiping routines to malware that is designed to infect internet-of-things and other embedded devices. The behaviour was seen in two recent attacks but likely for different purposes.

Researchers from Palo Alto Networks identified a new malware program called Amnesia that infects digital video recorders through a year-old vulnerability.

Amnesia is a variation of an older IoT botnet client called Tsunami, but what made it interesting is that it attempted to detect whether it was running inside a virtualised environment.

The malware conducts a number of checks to determine whether the Linux environment it ran in was actually a virtual machine based on VirtualBox, VMware, or QEMU. Such environments had been  used by security researchers to build analysis sandboxes or honeypots.

Virtual machine detection had been a part of Windows malware programs for years, but this was the first time when the feature had been observed in malware built for Linux-based embedded devices. In case Amnesia detected the presence of a virtual machine it would attempt to wipe critical directories from the file system using the Linux "rm -rf" shell command so as to destroy any evidence they might have collected.

Meanwhile, researchers from Radware, a security services provider discovered a different malware attack, targeting IoT devices, that they had dubbed BrickerBot. BickerBot worked thorough compromised routers and wireless access points against other Linux-based embedded devices.

Meanwhile Radware says in article on its site:

The Bricker Bot PDoS attack used Telnet brute force - the same exploit vector used by Mirai - to breach a victim's devices. Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently 'root'/'vizxv.'

Upon successful access to the device, the PDoS bot performed a series of Linux commands that would ultimately lead to corrupted storage, followed by commands to disrupt Internet connectivity, device performance, and the wiping of all files on the device.