details

Silex — a malware created by teens — bricks IoT devices

Examining binary samples collected from my honeypot, I see Silexbot calling fdisk -l which will list all disk partitions. Using that list, Silexbot then writes random data from /dev/random to any of the partitions it discovers… Based on code examinations, it is possible that Silexbot uses an alternative method of discovery if the fdisk command isn’t available. While we have not seen concrete proof of this code functioning, within the binary the commands exist for Silexbot to read mounted file systems from /proc/mounts and write to them using mtd_write:… Then it deletes network configurations, flushes iptables and adds an additional rule that DROPS all connections, before finally halting the device… Silexbot also uses rm -rf /, which will delete anything it has missed… Finally, Silexbot will halt and reboot the device.

Read more…