More IoT botnets connected to DDoS attacks
Security researchers have found another botnet operation exploiting internet of things devices to carry out powerful distributed denial of service attacks, prompting calls for IoT device makers to improve security
Security researchers have discovered more powerful botnets exploiting Internet of Things(IoT) devices to carry out massive distributed denial of service (DDoS) attacks.
The malware behind these DDoS botnets that amass up to a million devices goes by many names, including Lizkebab, Bashlite, Torlus and gafgyt, according to the researchers. News of the IoT botnet comes just two months after researchers at Arbor Networks revealed that a LizardStresser* botnet was using IoT devices to launch DDoS attacks in Brazil and the US.
By targeting IoT devices using default passwords, the botnet grew large enough to launch a 400 Gbps attack without any form of amplication, the Arbor researchers said.
The attackers simply used the cumulative bandwidth available to the IoT devices they had infected with the LizardStresser malware.
Each Lizhebab botnet is capable of launching powerful DDoS attacks and spreads to new hosts by scanning for vulnerable devices in order to install the malware, the researchers said. Either the bots scan ports for telnet servers and attempt to brute-force the username and password to gain access to the device, or the attackers use external scanners to find and harvest new bots
The second model adds a wide variety of infection methods, they said, including brute-forcing login credentials on SSH servers and exploiting known security weaknesses in other services.Once the attackers have gained access to a device, they simply attempt to run multiple versions of the malware for up to 12 device types until one executes. The researches expect the infection techniques, scanning methods and overall sophistication to continue to evolve.
Security camera DVRs (digital video recorders), used to collect video from security cameras, are among the devices currently favoured by these bot headers, the researchers said.These devices often come configured with telnet and web interfaces enabled and many are left configured with default credentials, making them easy to compromise.
Most of these devices run some version of embedded Linux, which, when combined with the bandwidth required to stream video, provide a “potent” class of DDoS bots, the researchers said.
* First, IoT devices typically run an embedded or stripped-down version of the Linux operating system, which means malware can easily be compiled for the target architecture, mostly ARM/MIPS/x86.
Second, IoT devices are likely have total access to the internet without any bandwidth limitations or filtering.
Third, the stripped-down operating system and processing power in most IoT devices leaves less room for security features, including auditing, and most compromises go unnoticed by the owners.
Finally, to save engineering time, manufacturers of IoT devices sometimes re-use portions of hardware and software in different classes of device. As a result of this software re-use, the default passwords used to manage the device initially may be shared across different classes of device
LizardStresser is a DDoS botnet written in the C programming language with a client designed to run on compromised Linux devices that connect to a hard-coded command and control (C&C) server.
The protocol is essentially a lightweight version of the internet relay chat (IRC) protocol, according to Arbor’s Matthew Bing. Infected clients will connect to the server and receive commands to launch DDoS attacks using a variety of attack methods. Clients can run arbitrary shell commands that are useful for downloading updated versions of LizardStresser or entirely different malware.
Clients can also connect to random IP addresses and attempt to log in via telnet using a list of hard-coded usernames and passwords as a propagation method. Successful logins are reported back to the C&C server for later assimilation into the botnet.