In October, an anonymous group of hackers used the Mirai Internet of Things (IoT) botnet, which had around 500,000 IoT devices concentrated in China, Hong Kong and South Korea, to launch large-scale DDoS attacks to demand ransom in bitcoin. A hacker from the same group recently infected millions of routers with malware that cannot be removed.
A hacker that goes by the alias “BestBuy” claimed that approximately 3.2 million routers are infected by his ineliminable malware, which cannot be fixed or eliminated with a firmware fix, factory reset or clearance of memory. According to a Motherboard report, this can only be done if the attacker compromised routers in a server that exploits router vulnerability and injecting malware.
“They are ours, even after reboot. They will not accept any new firmware from [Internet Service Provider] or anyone, and connect back to us every time :). Bots that cannot die until u throw device into the trash,” said BestBuy.
To prove his claims, BestBuy also shared a live feed of device access updates with Motherboard’s Lorenzo Franceschi Bicchierai. In the morning of December 5, around 500,000 routers were infected. In the same afternoon, 1.3 million routers were affected, as the number of infected IoT devices grew exponentially.
(Image file is here [for best quality]: https://motherboard-images.vice.com/content-images/contentimage/40224/1481042650539919.png)
However, even during the interview with Motherboard, BestBuy failed to explain the motivation behind the latest malware attack on IoT devices. In fact, as the interview went on, the hacker continued to emphasize that inevitably, users will have to throw out the routers and obtain new products to replace the infected devices.
Traditionally, hackers prefer to install ransomware instead of purposeless malware to at least compensate their “work.” For instance, if BestBuy infects millions of devices with ransomware, the hacker could demand payments in bitcoin or other stores of value similar to some of the hacker’s past works.
BestBuy stated that he doesn’t intend to launch any further attacks on the infected devices. He merely stated that he’d observe the attack, evaluate the responses of router providers and their consumers.
In theory, BestBuy’s strategy could be to test the response of firmware providers and router manufacturers. With the data he gathers from his latest initiative, he could potentially design and develop more sophisticated and complex ransomware.
But, none of the security researchers reached out by Motherboard discovered a router infected by BestBuy’s malware. Pen Test Partners researcher Andrew Tierney said that it’s more probable that the hacker disfigured one of the firmware updates from the router manufacturers or software providers.
While Intel Global Communications stated that the company’s newly designed fix could solve the issue, the Intel development team hasn’t provided a roadmap or a timeline in regards to the distribution of its solution.