The LizardStresser botnet, originally created by hacker group Lizard Squad, has now found a favoured place among hackers. An increasing number of criminals are using the botnet to target and hijack Internet of Things (IoT) devices to launch distributed denial of service (DDoS) attacks on banking, gaming and government websites.

Security firm Arbour Networks has since been tracking LizardStresser's activities since the botnet's source code was released to the public in 2015. The firm has noted "two disturbing trends" – the botnet has seen a steady rise in command and control (C&C) servers throughout 2016 and users are hijacking IoT devices by accessing them using default passwords their owners fail to change.

Arbour Network's Mathew Bing said in a company blog post: "Utilising the cumulative bandwidth available to these IoT devices, one group of threat actors has been able to launch attacks as large as 400Gbps targeting gaming sites world-wide, Brazilian financial institutions, ISPs and government institutions."

Coincidentally, the weapon of choice for threat actors when leveraging IoT devices, appear to be web cameras. Arbour Networks threat intelligence and response manager Kirk Soluk opined that since most users do not regularly interact using web cameras, they are more likely to not notice webcams being incorporated into a botnet, SCMagazine reported.

"While smartphones certainly have their security issues, it's worthwhile noting that they typically aren't running with remote management protocols using default usernames and passwords," Soluk explained. He also added that LizardStresser uses telnet brute-force techniques to access the devices. The hack uses a list of possible usernames and passwords, which are automatically sent to devices on a trial and error basis, until a login is achieved. Once a hacker has logged in to the IoT device, it is connected to a C&C server.

Hackers use LizardStresser botnet to target and hijack IoT devices and launch DDoS attacks
LizardStresser’s source code was released to the public in 2015 iStock

An analysis of LizardStresser's activities indicates a group of English-speaking hackers in Brazil have launched a massive DDoS attack using thousands of IoT connected devices, located primarily in Brazil and Vietnam.

"LizardStresser is becoming the botnet-du-jour for IoT devices given how easy it is for threat actors to make minor tweaks to telnet scanning. With minimal research into IoT device default passwords, they are able to enlist an exclusive group of victims into their botnets," Arbour Networks warned.

What is a DoS attack?

During a denial of service (DoS) or a distributed denial of service (DDoS) attack, hackers attempt to overload a website's connections by sending in data requests from multiple sources. Most often hackers use a 'botnet' – internet-connected PCs that are compromised by malware – to send in the requests to visit the site, without the users' knowledge.

The huge number of requests, which can reach thousands per second, overload the ability of a website's server to respond, eventually causing an error message to appear instead of the site's pages.

Making a DDoS is relatively simple. Botnets are available to hire on websites not reachable via search engines (deep web) or on encrypted websites (the dark web).