The Silex and the Fury: New Malware Tries to Destroy IoT Devices

 By Patrick Gebhardt
Aug 15, 2019 • 4 minute read

A new malware called Silex is targeting IoT devices. The software does not want to take the devices over, in order to use them for DDoS attacks, but rather wants them to malfunction and shut down.

👦 Anyone who says that today's youth is generally weird is wrong in 99% of cases and should be ashamed to have become such an embarrassing old person. The remaining 1% is reserved for kids like "Light Leafon". The 14-year-old hacker, who developed Silex under this pseudonym (according to most sources alone) and who has made his first appearance through the creatorship of the botnet "HITO", is quite happy with his achievement and announced that he wants to continue working on the malware until it has the functionality of Brickerbot*. In fury and confusion, the IoT users of this world have already launched initiatives on the Internet to find this boy a girlfriend. Which sounds like an appropriate strategy.

☠️ According to reports, Silex destroyed over two tousand devices in a matter of hours. The malware was discovered by security researcher Larry Cashdollar. Silex acts similarly to Brickerbot: it tries to log on to the IoT devices with standard access data. If it succeeds, it starts overwriting the drives with random data. In addition, it deletes the firewall rules and then turns off the device. In that way the IoT devices are made unusable. For the normal user, it looks like a hardware defect (which makes it difficult to determine the total number of affected devices). Poorly secured Linux servers could also become victims of Silex, as long as they can be reached via Telnet access with default access data.

i * Brickerbot... which damaged or destroyed two million unsafe IoT devices in 2017, is the model for Silex. The Brickerbot family of malware was first discovered by Radware in April 2017, when Brickerbot attacked their honeypot almost 1,900 times over four days. Brickerbot attempted to permanently destroy ("brick") insecure Internet of Things devices. It logged into poorly-secured devices and ran harmful commands to disable them.

 

At the beginning, there were many indications that the distribution took place via an Iranian server, but this is no longer certain. Light Leafon has indicated that he intends to add further features, such as attack options via SSH and the use of exploits instead of default access data. This would negate the currently effective protection measures, such as closing the Telnet port and changing the manufacturer's default credentials.

The IP address of the Silex command and control server is now blacklisted by URLhaus. A sample of Silex is available at VirusTotal.