It's as destructive as it can get without actually frying the IoT device's circuits. To recover, victims must manually reinstall the device's firmware, a task too complicated for the majority of device owners.
It's expected that some owners will most likely throw devices away, thinking they've had a hardware failure without knowing that they've been hit by malware.
"It's using known default credentials for IoT devices to log in and kill the system," Cashdollar told ZDNet in an email today. "It's doing this by writing random data from /dev/random to any mounted storage it finds.
"I see in the binary it's calling fdisk -l which will list all disk partitions," Cashdollar added. "It then writes random data from /dev/random to any partitions it discovers."
"It's then deleting network configurations, [...] also, it's [running] rm -rf / which will delete anything it has missed."
"It also flushes all iptables entries adding one that DROPS all connections. Then halting or rebooting the device," the researcher said.
Attacks carried out from Iranian server
"It's targeting any Unix-like system with default login credentials," Cashdollar told us. "The binary I captured targets ARM devices. I noticed it also had a Bash shell version available to download which would target any architecture running a Unix like OS."
This also means Silex will trash Linux servers if they have Telnet ports open and if they're secured with poor or widely-used credentials.
"It appears the IP address that targeted my honeypot is hosted on a VPS server owned by novinvps.com, which is operated out of Iran," Cashdollar said when we inquired about the source of these attacks.
At the time of writing, the IP address has already been added on the URLhaus blacklist, after being reported by IoT malware researcher Rohit Bansal.
Who's behind the Silex malware?
With the help of NewSky Security researcher Ankit Anubhav, ZDNet reached out to the Silex malware author with a series of questions about his motives and grand master plan.
According to Anubhav, responsible for this destructive malware is a 14-year-old teenager going online by the pseudonym of Light Leafon.
Anubhav confirmed the hacker's identity by having him put a custom message on the Silex command and control (C&C) server, verifying that we were indeed talking to the actual Silex operator.
Prior to today, Light had created the HITO IoT botnet, and had been interviewed a month ago on an episode of Anubhav's podcast on IoT botnets and security.
Light said the project started as a joke but has now developed into a full-time project, and has abandoned the old HITO botnet for Silex.
The teenager said he plans to develop the malware further and add even more destructive functions.
"It will be reworked to have the original BrickerBot functionality," Light told Anubhav and ZDNet.
Plans include adding the ability to log into devices via SSH, besides the current Telnet hijacking capability. Further, Light also plans to incorporate exploits into Silex, giving the malware the ability to use vulnerabilities to break into devices, similar to how most IoT botnets operate today.
"My friend Skiddy and I are going to rework the whole bot," Light told us. "It is going to target every single publicly known exploit that Mirai or Qbot load."
The Janit0r motivated the attacks as a form of protest against owners of smart devices that, at the time, were constantly getting infected with the Mirai DDoS malware.
The BrickerBot author argued that it would be better if the devices were destroyed, rather than sit around as cannon fodder for DDoS botnets, and haunting the internet for years.
The Janit0r's year-long bricking got some internet service providers to secure their networks against some attack vectors, albeit BrickerBot's impact could never be fully quantified.
But unlike the Janit0r, Light did not offer any motive for his actions, as of now. He didn't put out a manifesto like the Janit0r did after BrickerBot attacks began, to justify any of his actions.
As of now, all of the Silex attacks appear to have been carried out as a joke, or out of malice.
But while Light's actions seem malicious and petty, Anubhav described the teenager as "one of the most prominent and talented IoT threat actors at the moment"
"Its impressive and at the same time sad that Light, being a minor, is utilizing his talent in an illegal way," the researcher told ZDNet earlier today.
The bad news for Light is that unlike the BrickerBot author, who left a minimal trail of footprints that authorities could follow, Light might have made several OpSec mistakes along the way that may end up costing him in the long run.