Shulou(Shulou.com)06/01 Report--

To access the device through Telnet, default username / password: root/vizxv

Radware further details a series of actions after the malicious program successfully accesses the device, and after gaining permissions:

PDoS immediately executes a series of Linux commands that corrupt storage

The third is the command to destroy device performance, network connection, and erase all files on the device.

According to Radware's researchers, the BrickerBot*** targets it captured from the honeypot were Linux/BusyBox IOT devices, which opened Telnet ports and were exposed to the public network, similar to the Mirai last October.

Summary of the main points of the original article

Similar to Mirai

PDoS/Phlashing: permanent denial of service, which can damage firmware. The only solution is to replace or reinstall the firmware.

Within four days, Radware's honeypot recorded 1895 PDoS*** from around the world.

The difference between two paths (Internet/TOR,BrickerBot.1/BrickerBot.2) is about one hour. BrickerBot.2 executes PDoS

Log in to Telnet by brute force cracking. The complete dictionary cannot be obtained without a sample. Only the first attempt username / password was recorded: root/vizxv

BrickerBot.1 executes corrupt commands: corrupt storage, damage network connectivity, device performance, and erase all files on the device

Special devices / dev/mtd and / dev/mmc for

/ dev/mtd:Memory Technology Device-a special device type to match flash characteristics

/ dev/mmc:MultiMediaCard-a special device type that matches memory card standard, a solid-state storage medium

Reconfigure kernel parameters: timestamp of TCP, maximum number of threads in the kernel

For Linux/BusyBox-based Internet of things devices that open Telnet ports on the network

Port 22 and devices running older versions of the DropbearSSH service, and these devices are recognized by Shodan as Ubiquiti

For BrickerBot.2, 333 PDoS with different commands were recorded at the same time. Unable to locate the * source and is currently continuing. The first login command: root/root,root/vizxv, followed by the following commands:

BrickerBot.2 is more thorough and targeted than BrickerBot.1 's commands, and does not rely on busybox

Threaten

The final command is the same as the PDoS*** described earlier, and attempts to delete the default gateway, erase the device through rm-rf / *, disable the TCP timestamp, and limit the maximum number of kernel threads to one. This time, similar to the storage corruption command, additional commands have been added to refresh all iptables firewall and NAT rules, and a rule has been added to remove all outgoing packets.

BrickerBot.1 has stopped and BrickerBot.2 is continuing.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.