In early April of 2017 specialists of the company Radware found IoT malware BrickerBot. It has very strange behavior. Malware attacked Linux BusyBox devices, and during the first phase of the attack BrickerBot acted exactly same like Mirai, Hajime, LuaBot and other IoT malware. It performed dictionary attack, so, it brute-forced the device through Telnet, trying to pick up credentials.
However, if BrickerBot managed to get into the system, it deliberately turned device into a useless brick, damaging the core and making it impossible to use. This happened to attract the attention of ICS-CERT, last week specialists of the Ministry of Security encouraged companies and organizations to disable Telnet and SSH on their devices, and also advised to reset the device to factory settings.
In early April the researchers came to the conclusion that by this way the author of malware trying to teach owners of vulnerable devices and make the Internet safer. It is worth noting that such threats are not unusual: to draw attention to the security issues previously tried by the authors of malware Wifatch and Hajime, but of course without using such radical methods.
Journalists of Bleeping Computer said that even over the weekend anonymous tip to the author BrickerBot was sent to them, putting on the profile of the user with the nickname janit0r on the website Hack Forums. While understanding that every second hacker will want to declare himself as author of BrickerBot soon, journalists first ignored this information. However, no one else was in hurry to declare that he is the Creator of BrickerBot. So this case prompted employers of the edition to consider the profile janit0r more closely.
It turned out that the user was registered on 21 January 2017, as the time zone he indicated Alaska, and since that time he written only four posts. However, this message is ultimately interested researchers. For example, janit0r written that he “killed” more than 200 000 Telnet devices, starting in November 2016, in the discussion about quantity of bots Mirai. And it was two months before BrickerBot was found.
Another message was also written before BrickerBot was became known around the world. Janit0r commented on vulnerability in the IP cameras Dahua second and third generations. And the fact that the person who discovered the bugs did not publish the exploit, giving the manufacturer the opportunity to fix the problem. Janit0r strongly condemned his “colleague” and he explained how to operate vulnerability which was found in cameras.
Last post of janit0r was quite fresh, it was dated April 14, 2017. This post was response to the user who claimed about the leak of source codes of BrickerBot. Janit0r responded quickly, he said that contrary to rumors and joked that if anyone will stole the source codes from his computer, he will be already in jail.
Finding this message, journalists of Bleeping Computer for several days were trying to gather more information about janit0r, but were unable to find almost anything. In desperation, they putted post in Twitter, asking the author of BrickerBot to get in touch. Oddly enough, it worked, and the developer of malware really got in touch with the publication.
The letter contained many details about the operations of BrickerBot and its internal structure. However, Victor Gevers the head of the GDI.foundation and well-known security expert) also contacted with publication. In early April when experts of Radware just found BrickerBot, Gevers also appealed to the author of malware from the pages of Bleeping Computer and asked him to get in touch.
As it turned out, the author of malware responded and contacted with Gevers (nobody knew about that until today). It turned out that all this time Gevers acted as mediator between janit0r and specialist CERT, and the developer of malware provided Gevers the same information which he sent to journalists. All this allowed to confirm that janit0r is really the author of BrickerBot.
Letter from the hacker began with the words: “Yes, I’m janit0r on Hackforums” and then he explained in detail why he created BrickerBot. As predicted by the researchers, janit0r decided to draw attention to the problems of the Internet.
The Hacker told that that chaos is happening now in the Internet, and the companies, which make IoT device, often not even knowing the basics of information security. As an example janit0r told that the IP camera Avtech, 9 of 10 can be compromised using the credentials admin/admin.
According to janit0r, he registered at Hack Forums to see if anyone will notice any of his activity. According to his statements in January 2017 the number of people affected by BrickerBot devices was 200,000, and today there are more than 2 000 000! Victor Gevers confirmed this numbers, although the expert still believes that the author of BrickerBot is wrong and “lost his way”.
Also during communication with journalists janit0r mentioned that the specialists of the company Radware described BrickerBot not exactly accurate, and in fact, malware is much more complex. According to the developer, we are talking about using 86 protocols and payloads, which are specific to certain devices. Janit0r said that at first BrickerBot tried to help the infected device, fixing vulnerabilities, but companies that were vulnerable did nothing.